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Ecology Based Decentralized Agent 
Management System 


Maxim D. Peysakhov, Vincent A. Cicirello and William C. Regli 

Department of Computer Science, Drexel University, 
Philadelphia PA 19104 


Abstract. The problem of maintaining a desired number of mobile 
agents on a network is not trivial, especially if we want a completely 
decentralized solution. Decentralized control makes a system more ro- 
bust and less susceptible to partial failures. The problem is exacerbated 
on wireless ad hoc networks where host mobility can result in significant 
changes in the network size and topology. In this paper we propose an 
ecology-inspired approach to the management of the number of agents. 
The approach associates agents with living organisms and tasks with 
food. Agents procreate or die based on the abundance of uncompleted 
tasks (food). We performed a series of experiments investigating prop- 
erties of such systems and analyzed their stability under various condi- 
tions. We concluded that the ecology based metaphor can be successfully 
applied to the management of agent populations on wireless ad. hoc net- 
works. 


1 Introduction 

In a typical agent based system, a number of mobile agents cooperate to achieve 
a desired goal. The efficiency of the agent system in reaching the goal, and the 
completeness of the result depends on the number of agents in the system. Too 
few agents will not achieve the full potential of parallelism and will lead to 
decreased system efficiency. Too many agents can overburden the system with 
unnecessary overhead, and may also result in significant delays. The task of 
finding the optimal number of agents required to achieve the desired effect is 
difficult and problem-specific. In this paper, we propose an ecosystem-inspired 
approach to this problem. Similar to a real ecosystem, our solution exhibits, 
properties of emergent stability, decentralized control, and resilience to possible 
disturbances. In our work, we propose to solve the technical problem of agent 
management using an ecological metaphor. 

In Section 2 we describe the current state of research in the fields of sim- 
ulated ecosystems and multi-agent control and stability. Section 3 introduces 
the problem of managing the number of agents populating a physical network 
and also explains a proposed solution. Lastly, Section 4 demonstrates the initial 
experimental results and conclusions. 



2 Related Work 

2.1 Simulated Ecology 

The majority of ecology-inspired systems are used to answer some question about 
real world ecosystems and its properties. For example, the RAM system has been 
used to study mosquito control [23]. There are two major approaches to simu- 
lating an ecosystem [6]. One is a species-based view of the system, where large 
classes of individuals interact in the simulation (i.e., modeling the dynamics of 
interaction of species rather than the interaction of individuals). Evolutionary 
game theory (e.g., [1] [18] [17]) and dynamical systems (e.g., [9] [15] [14]) are two 
approaches that often take the species-based view. The second approach is to 
simulate individuals and their interactions, a bottom up approach to construc- 
tion of the ecological simulator. 

We are most interested in individual-based simulations, since they are 
usually built with software agents. An example of an individual-based ap- 
proach to ecosystems is a simulated habitat populated with synthetic organ- 
isms (agents) [19]. Often such systems are used to study the evolution (and 
co-evolution) of different species and testing their interactions and emergent be- 
havior. Genetic Algorithms [8] and Genetic Programming [10] engines can be 
used in conjunction with synthetic ecosystems to allow species to evolve over 
time. Some of the most well known examples of synthetic ecosystems of this 
type are Evolve 1, 2 and 3 [4] [5] [21], “Artorg world” [3] and LAGER [19]. 

With this approach, global trends in the behavior of the system may emerge 
as a result of the low-level interactions of individual agents. The emergent behav- 
ior observed in an ecosystem may not be obvious given the individual behaviors 
of agents. 

2.2 Agent System Stability 

Service replication An increasing number of researchers are investigating the 
problems of reliability, robustness, and stability of multi-agent systems (MAS). 
Most approaches toward improving system robustness revolve around the repli- 
cation of agents and/or services on the MAS network. This direction has been 
taken by [7], [12], [16] and several others. Existing approaches focus on the 
methodology of agent/service replication. 

Probabilistic models Another approach is the application of probabilistic 
models to the prediction of agent system stability and robustness. This research 
assumes some uncertainty in agent behavior or the agent’s environment, and pro- 
poses mechanisms for estimating, evaluating and hopefully improving stability of 
agent systems. One of the first researchers to analyze probabilistic survivability 
in an MAS is Kraus in [11]. In that paper Kraus proposed a probabilistic model 
of MAS survivability based on two assumptions: (1) global state of the network 
is known at all times; and (2) the probabilities of host or connection failure are 
known. An alternative approach was proposed in [20,2], where agents reason 
about the state of the network and security (insecurity) of their actions. 


3 Problem Formulation 

3.1 Motivation 

In a typical dynamic ad hoc network there is limited, variable bandwidth between 
hosts, and the memory and CPU on each host is constrained. Given this dynamic 
and resource constrained environment, it is impractical to prescribe any pre- 
computed solution. 

The solution we propose for such networks is to create a system that can 
control the number of agents dynamically, adapting to the ever-changing envi- 
ronment. In order to work in the context of an agent based system, a control 
system should be distributed and decentralized . By distributed, we mean that the 
system should be able to use the underlying network to parallelize problem solv- 
ing on multiple hosts. By decentralized, we mean that the system should avoid 
reliance on a single node, and should allow each agent to act independently. 
The emergent behavior resulting from the individual localized control decisions 
ideally will yield an optimal, or near-optimal, solution at the global level. 

3.2 Approach 

Large ecosystems usually have several attractive qualities (such as dynamic de- 
centralized control, self regulation, no single point of failure, robustness, and 
stability) that we require for our system. We propose a solution to the prob- 
lem of determining the number of agents appropriate for a task at hand that is 
inspired by large ecosystems: 

1. Each task in our system is associated with food. 

2. Agents which successfully complete a task collect the associated food points. 

3. Agents consume food points over time to sustain their existence. 

4. Agents that exhaust their supply of food die. 

5. An abundance of food can cause a new agent to spawn. 

By this analogy, tasks can be thought of as plant life growing at some rate. 
Agents are associated with herbivore animals that perform tasks, therefore eating 
all the food provided by successfully completing a task. Upon completion of a 
task, an agent is forced to migrate to look for more food (tasks to complete). 
As time passes, agents consume food according to a predefined consumption 
function, analogous to a metabolic rate of an animal. Agents unable to find 
enough food (tasks) to sustain their existence over time will exhaust their food 
resources and will be terminated. Large amounts of food collected by a single 
agent or accumulated in a single location can force a new agent to spawn at 
this location. Agents procreate by division similar to a cell mitosis. However, 
this approach makes it impossible for the system to recover from a state with 
no agents. Therefore, we also allow tasks the ability to spawn a servicing agent 
whenever a certain threshold of accumulated food supply is reached. This control 
metaphor allows the system to dynamically adjust to the environment, while 
avoiding centralized control. 



3.3 Formal Model 


The set H denotes the set of producers h where h E H, with the production rate 
defined by a function Fh (t) for each individual producer h. The set A defines the 
set of consumers a (a E A), and each consumer has a predefined consumption 
function / a (t). The dynamic system of H producers and A consumers is consid- 
ered to be in an equilibrium state over some period of time from ti to £ 2 , if and 
only if the amount of food produced during that period of time is equal to the 
amount of food consumed during that same period of time. This relationship 
can be expressed as: 


[ p h{t)dt= f f a (t)dt 

h€H Jt i a€A Jt ' 

At the simplest level, these principles can be modeled by a dynamic system of 
homogeneous producers and homogeneous consumers with constant production 
and consumption rates, c and d respectively. The equations below define the 
equilibrium state for this simple example: 



heH Jtl aeA Jt i 

\H\x cx (t 2 — ti) = \A\ x d x (t 2 — ti) 


\A\ = \H\- d 

This is essentially a species-based analysis of our individual-based ecological 
control system. 

4 Experimental Results 

4.1 System Setup 

In order to confirm our' conclusions we implemented a series of experiments 
using a discrete event simulation. The control flow of an ecology based agent 
is shown in Figure 1(a). According to this control flow diagram, an agent first 
decreases it’s internal food bank by f a (t) for each second that elapsed since the 
last decrement. Then, the agent completes the task and collects all food points 
associated with that task. Based on its current food resources, the agent may 
decide to die or to reproduce. Lastly, the agent migrates to another random host 
looking for food. We experimented with different ways for an agent to decide 
when to reproduce. We chose a fuzzy threshold method. Given the threshold 
value r, the probability of an agent reproducing is 0 if the amount of food is 
less then r — The probability of an agent reproducing is 1 if the food level 
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Fig. 1 . Agents life cycle (a) and probability of reproduction based on the food level 
(b). 


exceeds r + | . And the probability of reproducing grows linearly between these 
two points. A plot of the probability of reproducing is shown in Figure 1(b). The 
threshold needs to be fuzzy to avoid undesirable oscillations in the system. 

If a small number of agents is desired on the network, it is possible for the 
system to go into an extinction mode — state with no agents on the network. In 
order to recover from this situation, we enable hosts to spawn new agents. The 
same fuzzy threshold rules apply to hosts as to agents. All of the experiments 
were performed on the completely connected network of statically placed hosts. 
All hosts grow food at the rate 1 unit per iteration. All experiments start with 
a single agent with initial food bank of 500 units. The reproduction threshold 
r was set to 800 resulting in 800 =t 400 range for hosts and agents. Additional 
experiments were performed using the real agent system EMAA [13] over a wired 
local area network. 


4.2 System Behavior Over Time 

In this section, we investigate the changes in the number of agents over time. 
The consumption rate is set to 5 food units per iteration for all agents. Each 
experiment consists of 15 trials. A single trial consists of initializing the system 
and running it for 90,000 iterations. The number of agents is recorded every 10 
iterations. Data is averaged across all trials to obtain the plots. 
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Fig. 2. System behavior over time. 



Fig. 3. Distribution of the number of agents for the network sizes of 8 (a), 15 (b), 23 
(c) and 35 (d) hosts. 


Constant Number of Hosts. Experiments were repeated for graphs of 35, 23, 
15 and 8 hosts on the Figure 2 (top to bottom). Horizontal bold lines represent 
the targeted number of agents 7.0, 4.6, 3.0 and 1.6 respectively and the actual 
number of agents on the system is plotted by the thinner lines. It is easy to see 
that in all of the experiments, the actual number of agents oscillates close to the 
target value, however oscillations are somewhat higher for the network of 8 hosts. 
Figure 3 demonstrates the actual distribution of the numbers of agents during the 
experiments for 8 (a), 15 (b), 23 (c) and 35 (d) hosts with a normal distribution 
curve fitted to the data. Distribution is close to normal for all experiments but 
the one with 8 hosts. Such system behavior can be explained by the fact that the 
system with the small number of agents is prone to extinction of the population. 
Whenever the system recovers, it usually overshoots the targeted number of 
agents and oscillates for a while. These oscillations are repeated every time the 




Fig. 4. System behavior over time (a) and Standard deviation (b) 


system goes into extinction mode. More detailed analysis of this phenomenon is 
given in Section 4.3. 


Changing Number of Hosts. During this test we observed the system’s abil : 
ity to react to rapid unplanned changes in the number of hosts. Experiment was 
setup identically to the one described in Section 4.2 except that the number of 
hosts was changed every 30,000 iterations without reinitializing the system. The 
number of hosts was changed from 23 to 15 to 8 and back to 35 hosts. We feel 
that such drastic changes in the number of hosts approximate the process of 
islanding and merging in wireless mobile networks of lightweight devices carried 
on foot by police or military units. Whenever the hosts were shut down all of the 
agents on these hosts and agents traveling to these hosts were also shut down. 
Whenever brought back on line, hosts initially had no food or agents on them. 
That type of change introduces a high level of disturbance into the system. The 
number of agents over time is plotted in Figure 4(a). The bold red line repre- 
sents the target number of agents at any given moment. The black thinner line 
shows the actual number of agents. One can see that the actual number of agents 
follows closely the target number in all segments of the plot except for the one 
that corresponds to 8 hosts. 

The standard deviation of the number of agents is plotted in Figure 4(b). 
Standard deviation peaks when we change the number of hosts on the network 
due to the highly disruptive nature for the agent community of shutting down 
(or starting up) several hosts. Also standard deviation is higher at the segment 
corresponding to 8 hosts. We believe that such high standard deviation is caused 
by temporary extinction of agents and the oscillations that occur during recovery 
from it. 

4.3 Dependency Between the Number of Agents and the Number 
of Hosts 

In this Section, a single trial consisted of 100,000 iterations of the simulator. 
The number of agents is recorded every iteration and averaged across the trial 






Fig. 5. Dependency between number of agents and number of hosts (a), between num- 
ber of hosts and standard deviation (b), number of agents and standard deviation 

(c). 


to obtain a single data point. Trials were repeated for networks of sizes 3 to 35 
hosts (odd numbers of hosts only). Experiments are plotted in Figure 5(a) with 
consumption rates set to be 3 times, 5 times and 7 times the production rate from 
top to bottom. Although all 3 graphs appear to be linear, they axe composed 
of 16 independently obtained data points. The experiment confirms that the 
system does what it is designed to do, namely maintain the given average ratio 
of hosts to agents, despite dynamic changes in the number of hosts. Figures 5(b) 
and 5(c) show the standard deviation of the number of agents in terms of the 
number of hosts and the number of agents respectively for all 3 experiments. 
Styles and colors of the plots correspond to the ones in figure 5(a). Although 
each is unique, the overall shape of the plots is similar. After the initial hump 
associated with the extinction mode and recovery from it, the plots level off in 
the area of 3 - 4 agents and then increase slightly. The linear increase can be 
explained by the linear increase in the number of agents. The only disturbance 
to that scheme is the point with target value of exactly 1 agent. For such systems 
it is possible to sustain a single agent for the duration of the whole experiment 
without ever going into the extinction mode resulting in no variance in the data. 


4.4 Dependency Between the Number of Agents and the Link 
Quality 

This set of experiments was set up exactly as the one described in Section 4.3 
except that the changing parameter was link quality. A link of 100% quality 
implies that no artificial delay is introduced and migration only takes one it- 
eration. Link of 0% quality means that maximum possible delay is introduced 
and migration takes 16 iterations (in simulator time). Figure 6(a) shows the 
target number of agents, actual number of agents and standard deviation of the 
number of agents changing based on the link quality. Although the actual num- 
ber of agents slightly increases with decrease in link quality, it remains within 
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Fig. 6. Dependency between number of agents and standard deviation from liq speed 
(a), and distributions for 10% (b) and 90 % (c) link speed. 


10% of the target value. Standard deviation however increases significantly as 
the speedof communication decreases. Some improvement of standard deviation 
at extremely low speeds can be explained by consistently poor performance of 
the system. Figure 6 (b) and (c) show the actual distribution of the number of 
agents for 10% and 90% respectively. The distribution for the higher link speeds 
is more compact and closer to normal. Such behavior of the system can be ex- 
plained by the fact that at the lower values, agents cannot move from one host 
to another fast enough to collect enough food to sustain their existence. This 
causes extinction of agents and forces the system to re-stabilize after it recovers 
from the state with no agents. 

5 Future Work and Conclusions 

5.1 Future Work 

In the future we are planning several extensions to this work. 

1. We are planning more extensive set of live experiments utilizing the Secure 
Wireless Agent Testbed (SWAT) [22]. 

2. We would also like to create a more detailed mathematical model of such 
systems to be able to predict and control the emergent behavior of an agent 
system. This model should be used for parameter fine tuning, something that 
was done manually during current experiments. 

3. We are also planning to introduce an on-line system for timing such param- 
eters as consumption and production rates, thresholds and fuzzy intervals, 
etc. Some of the techniques we are planning to try include machine learning, 
swarm based techniques and genetic algorithms. 

4. It would be interesting to expand the model from plant — herbivore system 
to plant — herbivore — carnivore. That extension will allow us to create 
more complicated food chains resulting in more elaborate control over the 
populations of different types of agents. 



All of these techniques promise to improve on the current research and provide 
a more stable decentralized ways to control the number of agents on a wireless 
ad hoc network- 

5.2 Conclusions 

This paper developed an ecology-based model for managing the number of agents 
on ad hoc wireless networks. We have discovered that an ecosystem based model 
can provide decentralized distributed robust control of agents in dynamic and 
uncertain network environments. Our approach involves a novel exploitation of 
properties of ad hoc networks, enabling mobile agents to automatically adapt 
to changes that affect their communication and migration. The capability to 
dynamically adjust to the state of their network provides new possibilities for 
stable MAS. 

References 

1. J. M. Alexander. Evolutionary game theory. In E. N. Zalta, editor, 
The Stanford Encyclopedia of Philosophy . Stanford University, Summer 2003. 
http: / /plato. stanford.edu / archives /sum2003 /entries/ game-evolutionary/. 

2. Donovan Artz, Max Peysakhov, and William C. Regli. Network meta-reasoning for 
information assurance in mobile agent systems. In Eighteenth International Joint 
Conference on Artificial Intelligence , pages 1455-57, Aug 2003. 

3. A. Assad and N. Packard. Emergent colonization in an artificial ecology. In 
F. Varela and P. Bourgine, editors, Toward A Practice of Autonomous Systems: 
Proceedings of the First European Conference on Artificial Life., pages 143-152. 
MIT Press, 1992. 

4. M. Conrad and H.H. Pattee. Evolution experiments with an artificial ecosystem. 
J . Thearet . Biol , 28:393-409, 1970. 

5. M. Conrad and M. Strizich. EVOLVE II: A computer model of an evolving ecosys- 
tem. BioSystems , 17:245-258, 1985. 

6. Gary William Flake. The Computational Beauty of Nature: Computer Explorations 
of Fractals, Chaos, Complex Systems, and Adaptation MIT Press, July 1998. 

7. Felix C. Gartner. Fundamentals of fault-tolerant distributed computing in asyn- 
chronous environments. ACM Computing Surveys , 31(l):l-26, 1999. 

8. D. Goldberg. Genetic Algorithms in Search, Optimization and Machine Learning. 
Addison- Wesley Pub Co, December 1989. 

9. S. Goldenstein, E. Large, and D. Metaxas. Non-linear dynamical system approach 
to behavior modeling. The Visual Computer, 15:349-364, 1999. 

10. J. R. Koza, F. H. Bennett III, F. H. Bennett, D. Andre, and M. A. Keane. Ge- 
netic Programming III: Automatic Programming and Automatic Circuit Synthesis . 
Morgan Kaufmann Publishers, 1999. 

11. S. Kraus, V.S. Subrahmanian, and N. Cihan Tacs. Probabilistically survivable 
mass. In Proceedings of the International Joint Conference on Artificial Intelligence 
( IJCAI-2003 ), pages 780-795, 2003. 

12. Sanjeev Kumar, Philip R. Cohen, and Hector J. Levesque. The adaptive agent ar- 
chitecture: Achieving fault-tolerance using persistent broker teams. In Proceedings 
of the Fourth International Conference on Multi-Agent Systems (ICMAS 2000), 
pages 159-166, July 2000. 


13. R.P. Lentini, G. P. Rao, J. N. Thies, and J. Kay. Emaa: An extendable mobile 
agent architecture. In AAAI Workshop on Software Tools for Developing Agents , 
July 1998. 

14. K. Lerman and A. Galstyan. A general methodology for mathematical analysis 
of multi-agent systems. Technical Report ISI-TR-529, USC Information Sciences, 
2002. 

15. K. Lerman and A. Galstyan. Macroscopic analysis of adaptive task allocation in 
robots. Submitted to IROS-03, 2003. 

16. O. Marin, P. Sens, J. Briot, and Z. Guessoum. Towards adaptive fault tolerance 
for distributed multi-agent systems. In Proceedings of the first international joint 
conference on Autonomous agents and multiagent systems: part 2 > pages 737 - 744, 
2002. 

17. J. Maynard-Smith. Evolution and the Theory of Games. Cambridge University 
Press, Cambridge, 1982. 

18. J. Maynard-Smith and G. Price. The logic of animal conflict. Nature , 146:15-18, 
1973. • 

19. R. L. Olson and A. A. Sequeira. An emergent computational approach to the study 
of ecosystem dynamics. Ecological Modeling , 79:95-120, 1995. 

20. M. Peysakhov, D. Artz, E. Sultanik,, and W. C. Regli. Network awareness for 
mobile agents on ad hoc networks. In Proceedings of the Third International Joint 
Conference on Autonomous Agents and Multi Agent Systems (AAMAS-2004), July 
2004. 

21. M. Rizki and M. Conrad. EVOLVE III: A discrete events model of an evolutionary 
ecosystem. BioSystems , 18:121-133, 1985., 

22. Evan Sultanik, Donovan Artz, Gustave Anderson, Moshe Kam, William Regli, 
Max Peysakhov, Jonathan Sevy, Nadya Belov, Nicholas Morizio, and Andrew 
Mroczkowski. Secure mobile agents on ad hoc wireless networks. In The Fif- 
teenth Innovative Applications of Artificial Intelligence Conference , pages 129-36. 
American Association for Artificial Intelligence, Aug 2003. 

23. Taylor, E. Charles, Turner, Scott, and Seth R. Goldman. Ram: Artificial life for 
the exploration of complex biological systems. In C.G. Langton, editor, Artificial 
Life: SFI Studies in the Sciences of Complexity ., pages 275-295. Addison- Wesley, 
Redwood City, CA, 1989. 



From Abstract to Concrete Norms 
in Agent Institutions 


Davide Grossi and Prank Dignnm 

Utrecht University, 

The Netherlands 
{davide , dignnm} Qcs . uu . nl 


Abstract. Norms specifying constraints over institutions are stated in such a form 
that allows them to regulate a wide range of situations over time without need for mod- 
ification. To guarantee this stability, the formulation of norms need to abstract from a 
variety of concrete aspects, which are instead relevant for the actual operationalization 
of institutions. If agent institutions are to be built, which comply with a set of abstract 
requirements, how can those requirements be translated in more concrete constraints 
the impact of which can be described directly in the institution? In this work we make 
use of logical methods in order to provide a formal characterization of the translation 
rules that operate the connection between abstract and concrete norms. On the basis 
of this characterization, a comprehensive formalization of the notion of institution is 
also provided. 


1 Introduction 

Electronic institutions, such as auctions and market places are electronic coun- 
terparts of institutions that are established in our societies. They are established 
to regulate interactions between parties that axe performing some transaction 
(see [6] for more details on the roles of institutions). Interactions axe regulated 
by incorporating a number of norms in the institution which indicate the type of 
behavior each of the parties in the transaction should adhere to within that in- 
stitution. The main concern of this work is to investigate what formal relation 
could be specified which accounts for how (abstract) norms can be incorpo- 
rated in the (concrete) procedures constituting the institution, in such a way 
that agents operating within the institution either operate in accordance with 
those norms, or may be punished as they violate them. 

That this relation is more complicated than just adding some constraints on 
the actions in the institution can be seen from the following example. The norm 
u it is forbidden to discriminate on the basis of agd’ can be formalized in deontic 
logic as “F (discriminate^, y, age))” (stating that it is forbidden to discriminate 
between x.and y on the basis of age). The translation of this formula would get 
down to something like that the action “discriininate(x,y,age)” should not 
occur. However, it is very unlikely that the agents operating within the insti- 
tution will explicitly have such an action available. The action actually states 
something far more abstract. We claim that the level on which the norms are 
specified is more abstract and/or general than the level on which the processes 
and structure of the institution are specified. From an institutional standpoint 



norms need, in order to be incorporated in the institution itself, to be therefore 
“translated” to a level in which their impact on the institution can be described 
directly. A formal account of these “ translation rules" constitutes the central 
aim of this work. 

The work is organized in accordance with the following outline. In Section 2 
some preliminaries about the notions of norms, normative systems and institu- 
tions are set forth; in Section 3 the issue addressed is made concrete by means 
of two examples, and our line of analysis of the problem is stated; in Section 
4 a formal framework is proposed, which allows for formal definitions of the 
notions of abstract and concrete norms, and of translation rules; in Section 5 
these definitions are used in order to provide a formal account of the notion of 
institution itself able to cope with the issue of abstractness of norms; in Section 
6 this formal notion is shown to be embeddable in various formal argumenta- 
tion systems, thus enabling the possibility of articulate institutional reasoning 
patterns; finally, in Section 7, some conclusions are drawn; 

2 Some Preliminaries 

The first concept to introduce is the concept of norm. As we will see later in 
Section 2.2, institutions are defined in terms of norms, which are therefore the 
basic building block, so to say, of our work. With the term norm we intend what- 
ever in general indicates something ideal and which, consequently, presupposes 
a distinction between what is ideally the case and what is actually the case. 
In natural language norms are usually, but not always, expressed by locutions 
such as: “it is obligatory”, “it is forbidden”, “it is permitted”, etc.. 

In this paper we will assume norms to be conditional, because that is the 
form in which they mostly appear in statutes and regulations governing insti- 
tutions. In conditional norms we recognize the condition of application of the 
norm, and its normative effect, i.e. the normative consequence the norm sub- 
ordinates to its condition: “under condition A, it is obligatory (respectively, 
permitted or prohibited) that B” 

Another important concept we will come to take into consideration, though 
not in detail, is the concept of procedure. Here a procedure is seen as an 
algorithm-like specification describing how a certain activity is carried out. The 
difference between a norm and a procedure is of extreme relevance for our 
purposes (see Section 2.2): a norm states that something ought to be the case 
under certain conditions, while a procedure describes only a way of bringing 
something about; semantically, norms incorporate a concept of ideality, whereas 
for procedures it is instead central a notion of transition. 

2.1 Normative Systems 

In [14] normative systems are defined as follows: 



“a normative system' is any set of interacting agents whose behavior can 
[. . . ] be regarded as norm directed” . 

According to this view, a normative system is thus a norm directed agency. In 
this sense, a set of norms meant to direct an agency constitutes a form of (nor- 
mative) specification of that agency; in other words, a set of norms addressed 
to a given agency determines that agency as a normative system. As such, nor- 
mative systems axe therefore amenable of formal description in terms of logical 
theories containing normative expressions 1 . 

There is wide agreement upon the fact that all normative systems of high 
complexity, like for example legal systems, cannot be regarded simply as sets 
of norms ([14, 13]). Besides norms, they consist also of definitional components 
yielding a kind of contextual definition: “A means (counts as) B in context 
i”. An example: “signing form 32 counts as consenting to an organ donation, 
in the context of Spanish transplant regulation [26] 2 ”. Normative components 
of this type are known in legal and social theory as constitutive norms, while 
purely normative components, i.e. what we called norms, are known as regulative 
norms (see for example [12, 19, 25]). Both these components will be logically 
represented (Section 4) by means of rules: regulative norms via rules having 
a deontic consequent normative rules ; constitutive norms via translation rules. 
Concepts introduced are recapitulated in Table L 


Table 1 . Normative systems 1 components 


COMPONENTS 

regulative norms 

constitutive norms 

REPRESENTATION 

| normative rules 

translation rules 


2.2 Institutions 

The term ins titution is quite ambiguous. Following [17] we distinguish two senses 
of the term, which are of significance for our purposes. 

— First, an institution can be seen a the set of agents with specific roles, private 
and common ot> jsctivss, tiis activities of wbidi 3X6 proc 0 du.r 2 .Uy dct o nniii cd 
We speak in this case about institutions seen as organizations. As an ex- 
ample, the agents operating Utrecht Hospital, and the set of procedures 
according to which their activity is pl ann ed, constitute an organization. 

— Second, an institution can be seen as the set of norms (constitutive and 
regulative) an organization can instantiate implementing them. We use in 

1 This is precisely how normative systems are conceived in [1], where they are analyzed as sets of 
sentences deductively connecting normative conditions to normative effects. 

2 These examples have been chosen on the basis of work carried out on the regulations from which 
they are excerpted. 




this case the term institutional form. In this sense the set of regulations 
holding at Utrecht Hospital defines an institutional form. Also the set of 
regulations concerning hospitals in The Netherlands defines an institutional 
form, namely a general institutional form, say, “hospital” . The organization 
of Utrecht Hospital instantiates both these institutional forms. 

This distinction between organizations and institutional forms lies in the afore- 
mentioned distinction between norms and procedures. While analyzing institu- 
tions as organizations emphasizes the procedural aspects involved in operating 
institutions, an analysis of them in terms of institutional forms stresses instead 
the normative nature of institutions specifications. This last perspective on in- 
stitutions is the one underpinning the analysis of abstract and concrete norms 
that will be carried out in the next sections. Viewing institutions as institutional 
forms, that is to say, as sets of constitutive and regulative norms, allows for an 
application of a normative system perspective ([13, 14]) to their analysis and 
will lead, in Section 5, to a formal definition of institutions as sets of rules 3 . 

It is instructive to spend still some more words on the distinction proposed. 
The relation between these two conceptions of institutions constitutes a very 
interesting issue, which is also of definite relevance in relation with the gen- 
eral problems addressed here. What is at stake is the understanding of how an 
organization implements an institutional form, or in other words, how can a 
set of procedures implement a set of norms, what is the formal link between 
norms and procedures. Answering these questions would lead to a deeper un- 
derstanding of the variety of aspects characterizing institutionalized agencies. 
This problem forms nevertheless a separate issue, which will not be explicitly 
dealt with in the present paper 4 . 

3 Abstractness of norms 

3.1 Abstract norms and concrete norms 

The issuing of norms, as it appears in various statutes or regulations specifying 
constraints over institutions, has the characteristic of stating norms in such a 
form that allows them to regulate a wide range of situations and to be stable for 
a long period of time. The vaguer or abstract norms are, the easier it becomes to 
keep them stable. The downside of this stability is that normative formulations 
seem to be less well defined. In law it is even an explicit task of the judges to 
interpret the law for specific situations and determine whether someone violated 
it or not. 

It is our thesis that abstract and concrete notions are described within differ- 
ent ontologies. Concrete norms are described in terms of the concepts that are 

3 The formal analysis of organizations, i.e. procedural description of agencies, is therefore left aside in 
this work. In what follows we will use the terms institution and institutional form interchangeably. 

4 See [7] for some first thoughts on this topic. 


used to specify (possible) procedural descriptions of the concrete institutions. 
Abstract levels axe instead described using a more general ontology. 

In order to precisely illustrate the problem we are concerned with, we discuss 
two examples. The first one is taken from the Dutch regulation about personal 
data treatment within police registers ([8]). In the mentioned regulation the 
following norm is stated: “the inclusion of personal data in a severe criminality 
register occurs only when it concerns: a) suspect of crimes; b) etc.” (Article 
13a). This norm states that, under certain conditions, personal data may be 
included in a specific kind of police register. Suppose now that an electronic 
institution for that register has to be built which fully complies with the norms 
regulating the use of that register ([5]). The following question comes naturally 
about: “ what can be concretely included in the register , that is “ what is clas- 
sified to be personal data in the context of [8]”? That this is more than just a 
definitional issue can be seen from the fact that more data may be included 
as they regard suspects and less as they regaxd persons which axe indirectly 
connected with a crime: the notion of personal data varies. These “variations” 
axe specified in the model regulations on police registers ([16]). 

The second example is instead taken from the Spanish regulation on organ 
transplantation ([26]): “a living donor must consent before a transplantation 
may take place ” (Article 9). An analogous question can be raised: “ what is un- 
derstood as consent in the context o/[26]”? This example shows that abstraction 
takes place over data (first example) as well as over actions. The consent action 
can be implemented by signing form 32 within the context of the transplant 
regulation in Spain. However, this way of implementing consent is only “valid” 
within that context. 

On what basis are we entitled to consider the above translations as comply- 
ing with the abstract ones? Signing a form seems a reasonable implementation 
of giving consent, whereas we would probably not accept wearing a red hat as a 
way of implementing consent. What does the connection between abstract and 
concrete normative formulations consist of, from a formal point of view? This 
is the central question we axe here addressing. 

3.2 Connecting abstract and concrete norms 

The model regulation on severe criminality registers ([16]) is explicitly con- 
ceived to lead to an application of the law in the context of the usage of severe 
criminality registers. The following norm is stated: “[In a severe criminality 
register] the following kinds of data can at most be included: financial and cor- 
porate data; data concerning nationality; etc.” (Article 6). Basically, this article 
provides the fist of data that axe allowed to be included in the register, and it 
therefore consists of a concrete version of Article 13a cited in Section 3.1. Such a 
“translation” , as we called it, is possible because an interpretation of the notion 
of personal data occurring in Article 13a, is somehow presupposed: “ personal 
data are financial and corporate data; data concerning nationality; etc.” . This 




rule, defining the notion of personal data within the context of the usage of 
severe criminality registers, states that if something is a datum concerning the 
nationality of, for instance, a suspect, then this datum is a personal datum 
and it can therefore be legally included in the register. We claim these rules to 
constitute the connection between abstract and concrete norms. 

In this example, being a personal datum is an abstract fact exactly because 
something can be a personal datum in many ways, depending on the context: 
in the context of the regulation of severe criminality registers, data as specified 
in Article 6 count as personal data, but within a different context, for example 
in the regulation about so called provisional police registers, something else can 
count as a personal datum. Abstract constraints are stable and hold for many 
situations because they are made concrete in several, possibly different, ways. 
The contextual nature of these translation rules led us to the logical framework 
we are going to expose in Section 4. 

To understand this contextual nature of institutions it seems useful to see 
them as regulating facts that hold on specific levels of abstractness: concrete 
levels are the levels on which facts hold that can be directly handled by the 
procedures an institution is organized through (something is a datum concern- 
ing nationality); abstract levels are the levels on which more abstract facts hold 
(something is a personal datum), and to which many more concrete levels can 
be seen to converge via translation rules. We therefore understand institutions 
as sets of norms and translation rules which regulate facts holding on levels of 
abstractness 5 . Such a perspective also shows how more particular institutions, 
such as the ones operating severe criminality registers, are nested in more gen- 
eral ones, such as the one regulating the use of police registers in general. This 
nesting takes place through the abstractness layering. Picture 1 below provides 
a graphical account of the intuitions just exposed. 

Analogous considerations may be carried out in relation with the second ex- 
ample mentioned in Section 3.1. 

4 Formal framework 

4.1 A logic for levels of abstractness 

Before presenting a proposal to formally capture the notion of level (context) 
we have in mind, it is necessary to identify, in further detail, the features of this 
concept that we would like to be able to express in our formalism. 

1. In our view, levels constitute a structure ordered according to the relation 
“ i is strictly less abstract than j ” . This relation is, reasonably, irreflexive, 
asymmetric and transitive. Moreover, it seems intuitive to assume it to be 

5 See section 2. 




Fig. 1. Institutions and levels 

paxtial. There might be levels i and j both strictly less abstract than a given 
level k, but such that they remain unrelated with respect to each other 6 . 

2. Levels axe such that what holds in a level holds irrespectively of the level 
from which that fact is considered: if at level i the donor expresses his/her 
consent, then at level j it holds that at level i the donor expresses his/her 
consent and vice versa. 

3. No inconsistency holds at any level, levels are coherent. 

4. Finally, there exists a trivial “outermost level”, representing the absence of 
context, that is, the level of logical truths. 

To capture these features we use a multi modal logic KDAb'-i ([15]) which 
corresponds to a propositional logic of n contexts (PLC) with: consistency prop- 
erty (corresponding to feature 3), flatness property (feature 2), outermost con- 
text (feature 4) and total truth assignments (see [18, 4, 3]) 7 . 

Language. The alphabet of language C L for levels of abstractness expands 
the language for propositional logic and contains the following sets of symbols: 
the set of logical connectives {->, A, V, — >•}; the set of propositional constants P; 
and the set of modal operators where L is the set of indexes denoting 

levels of abstractness, and ]]i|J = n, that is to say, there are as many modal 
operators as levels of abstractness. The set of well formed formulas F is then 

6 Notice that these are precisely the properties also of the conventional generation relation analyzed 
in [10]. 

7 We deemed a multi modal formalism to be better readable than a propositional context logic one. 
This is the reason why we chose for using a modal logic formulation instead of a contextual logic 
one. The correspondence result we claimed is guaranteed by results proved in [3]. A word must 
be spent also about the use of propositional context logic with total truth assignments. In fact, 
partial truth assignments are one of the most relevant features of context logics as introduced 
in [4,3]. However, it has been proved in [18] that every propositional context logic system with 
paxtial truth assignments is equivalent to one with total truth assignments. For this reason this 
aspect has been here disregarded. 


defined as follows: 


F:=PU (->F) U (F A F) U (F V F) U (F -> F) U (DiF). 


By means of this language it is possible to express statements about what holds 
on*a level (in a context) via modal formulas. 

Semantics. As a semantics for this system we can use very simple models 
M = (W, L,<,c, v ) such that for every level of abstractness (or context) i L 
function c associates a non-empty subset of W (c : L — > Pow + (W)), v is 
the usual valuation function assigning truth values to propositions in worlds. 
Ordering < C L x L is an irreflexive, asymmetric and transitive ordering on 
L, the intuitive reading of which is: i < j means that i is less abstract than 
j (feature 1). Using these models we can define the semantics of the levels of 
abstractness as follows: 


M, w t= DiA iff Vu/ £ c(i) : M,w' h A 


We omit here the obvious clauses for satisfaction of propositional formulas. 
Notice that the truth value of DjA does not depend on the world where it is 
evaluated. This reflects the intuition that whether A is true at level i does not 
depend on the place from which you evaluate it. It only depends on the truth 
of A in that specific level (in this precisely consists the aforementioned flatness 
property corresponding to feature 3). With respect to the other requirements, 
we have that: feature 2) is guaranteed by the fact that c delivers non-empty sub- 
sets of W, and feature 4) is guaranteed by the fact that there can be worlds not 
belonging to any c(i) 8 . Noticeably, this semantics implements in a straightfor- 
ward way the thesis developed in context modeling according to which contexts 
can be soundly represented as sets of possible worlds ([27]). 

A final aspect worth stressing is that the ordering of the levels does not play 
any role in the semantics. One could imagine that the ordering on L imposes an 
ordering on the sets Wj. E.g. i < j => W* C Wj. This would imply the following 
validity: Q,A — *■ DjA iff i < j i.e. a kind of inheritance from more abstract levels 
to more concrete levels. We have chosen not to include this property because 
it would impose many restrictions on the relation between levels, which are 
not really necessary. We will come back to this point later on in Section 5 
where we will indicate some ideas about more subtle relations between levels of 
abstractness. 


8 It is instructive to notice that this semantics is equivalent with the more standard relational 
semantics for JCZ>45k — J given in terms of Kripke models with a family of accessibility relations 
{A}iei, which are serial, transitive, and i-j euclidean [wRiVj' ,wRjw" => wRjw"). The proof is 
straightforward once the family {Alter is defined to be such that wRitn' iff w' € c(i). 


Axiomatization. KD45iff j is obtainable via the following axioms and rules 
schemas: 

(P) all tautologies of propositional calculus 
(K) O^A -►£)-(□« A -□*£) 

( d ) -a± 

(4* -J ) DiA -* UjUiA 
(5 i-J ) -DiA -» 

(MP) A, A -* B / B 
(N) A / DjA 

The system at issue is then a multi modal homogeneous KD4b with the two 
interaction axioms 4 1 "- 7 and 5 ,-j9 . This axiomatization is sound and complete 
with respect to the semantics presented (see [15]). 

4.2 A logic for translation rules 

Informally, A counts as B iff A at a level i determines the truth of B at a level 
j, where i < j (see Section 3.2). 

Theoretically, our proposal consists in understanding translation rules as 
bridge rules in the sense of theory of contexts (see for example [18]). Translation 
rules connect truth among different levels of abstractness, and more precisely 
from more concrete to more abstract levels. In addition, we consider translation 
rules to be defeasible. The reason for this choice is that different translation 
rules could have contradictory consequents, and therefore the antecedent of a 
translation rule cannot be strenghtened: “signing form 32 counts as consenting 
for organ donation” but “signing form 32 while being under threat does not 
count as consenting for organ donation” . 

To model this notion of translation rule we make use of normal prioritized 
default logic ([2]) defining a normal prioritized default theory It on the system 
KD4b l -J for language, £ L : 

T — (F, Dt- ~4t) 

where F is a (possibly empty) set of assumptions, Dt is a set of defaults, -<t 
is a priority ordering on defaults of Dt- By means of this logical machinery the 
following definition of translation rule can be stated: 

Definition 1. (Translation rules) 

A translation rule is a default rule of this form: 

□jA \3jB with i < j. 


9 Instead of 4 l \ it would be sufficient to assume a simple 4 axiom: □ iA —* CtCt-A (see [15]). 



Here “□ i v4 -~+.OjB” is a shorthand for : OjB/OjB, i.e. a normal default, 
the meaning of which is that the truth of B can be derived on level j from the 
truth of A at level i if the truth of B on level j does not result in an inconsis- 
tency. This account has several advantages: it has a clear theoretical grounding 
on context theory; it has a neat semantics; it enables easy non monotonic deriva- 
tions; it can rely on a broadly investigated logic. Thus, the fact that “signing 
form 32” is a way of “consenting for organ donation” in a certain hospital can 
now be formally represented as: 

Designing -form ,- 32 -w □ ^consent 

where -i is a more concrete level of abstraction within the institution of “hospital” 
than j. 

In order to deal successfully with defeasibility we also introduced in defini- 
tion 1 explicit prioratization ordering -<t on the set of defaults: 

d\ : TljT OjB 

d,2 '■ Dj(j4 A C ) D j~^B 

One prioratization criterion is that more specific defaults have the precedence 
according to a strict partial ordering. So, this means c? 2 ~<t d\. 

Note that this prioritization orders only conflicting defaults such that either 
the prerequisites of the first imply the prerequisites of the second or vice versa. It 
does not supply a tool for deciding among conflicting defaults the prerequisites 
of which are logically unrelated. It may be useful, for example, to include a 
prioritization based on concreteness of the antecedent. This can be used in the 
following case: 

d\ : Q{.A DjB 
d 2 : D j~^B 

k < i 


obtasining that d 2 A d\. 

We deem important to stress that specificity and concreteness are only two 
of the many ways of deciding about conflicting defaults. In normative reason- 
ing especially, conflicts are often decided on the basis of authority hierarchies 
subsisting on norms, or on the basis of the time of their enactment ([21]). More- 
over, conflicts between priority ordering themselves can arise. The specificity 
and concreteness criteria should therefore only be seen as an exemplification of 
this range of possible criteria. 

4.3 A logic for normative rules 

Having defined levels of abstractness and their relations in the previous sections, 
we now turn to defining the norms themselves that operate on levels. To do this, 



we have to: first, enable a representation of deontic notions within the framework 
defined in Section 4.1; then, introduce suitable rules to model the conditional 
aspect of norms, which has been stressed in Section 2. 

Let us focus on the first point. To handle deontic notions (obligation, per- 
mission, prohibition), the standard deontic logic system KD (see [28]) suffices 
our needs here. We can therefore define a fusion 10 KD^KDAS^i on a common 
language C LO cont ainin g the language for expressing the abstractness layering 
C L , and the language of standard deontic logic C°. 

Language The language is a propositional logic language the alphabet of 
which is expanded with an O-operator and a set of indexed Di-operators. The 
set of well found formulas F is defined as follows: 


F := P U (-F) U (F A F) U (F V F) U (F -> F) U (DjF) U (DiO(F)) 


Note that we allow deontic modalities to operate only within Dfc-formulas and 
we do not allow deontic operators to have formulas in their scope if they 
are not under the scope of another D^-operator. This expressive limitation is 
dictated by the fact that we do not want deontic operators to occur if not in the 
scope of a D^-operator. This to capture the idea according to which normative 
consequences of certain conditions are supposed to be always holding at certain 
levels of abstractness: normative consequences are always localized. 

Semantics Semantics for C LO is given on structures M = (W, L, <, c, R, v ) 
such that ( W , L, <, c, v ) is a model for C L (see Section 4.1), and (W, R, v ) is a 
model for C° with R being a serial accessibility relation on W. We omit here 
the obvious clauses for satisfaction of propositional formulas. The semantics of 
□fc-operators remains the same described in Section 4.1. As to the semantics for 
the O-operator we use the usual clause obtaining the following expanded clause 
for formulas in 0(F): 


M,w\= DjO(A) iff Vu/ G c(i), Vu/' G W : R(w', w") =$■ M , w" 1= A 


Permission (P-operator) and prohibition (P- operator) can be defined in terms 
of obligation: P(A) = -> 0(-u4.) and F(A) = 0(-<A). 

Axiomatization Logic KD <g> KDAS 1 ^ can be easily axiomatized by the 
union of the set of axioms for KDAb l ~i and the set of axioms for KD. Axiom- 


10 For a detailed exposition of the concept of fusion we refer to [9] . Intuitively, a fusion of two logics 
is the simple join of them. 



atization KDA5 l n i (Section 4.1) should thus be extended as follows: 


(P) 

all tautologies of propositional < 

(N\ l) 

□i(A- 

* B ) (□ iA - 

->OiB) 

(Da) 

~Oi-L 



( 4 sn 

□iA-> 

□j-DjA 


(5?) 

-OiA- 

-> Dj - >DjA 


(MP) 

A, A- 

*B / B 


(«t j) 

A / □,. 

A 


(Ko) 

0(A — » 

1 

O 

T 

y OB) 

(Do) 

i01 



(No) 

A / OA 



Notice that no interaction axioms between and O operators are stated. As 
proved in [9], fusions of systems preserve soundness and completeness, therefore 
system KD ® KD4b l ~ j is sound and complete with respect to the semantics 
presented. 

To enable a representation of the aspect of conditionality of norms, and 
then of normative rules, we make again use of normal prioritized default logic 
defining a normal prioritized default theory 7 ^ on the system KD ® KDA 
for language C LO : 

T n = ( F , Djy, -<n) 

where F is a (possibly empty) set of assumptions, is a set of defaults, -<n 
is a priority ordering on defaults of D^, By means of this logical machinery the 
following definition of normative rules can be stated: 

Definition 2. (Normative rules) 

A normative rule is a default rule of the form: 


□jA OjOB with i < j. 

Here “DjA —>■ 0,013” is a shorthand for D t A : OjOB/UjOB, i.e. a normal 
default, the meaning of which is that the truth of OB can be derived on level j 
from the truth of A at level i if the truth of OB on level j is not leading to an 
inconsistency. 

Conditional permission and prohibition are easily defined by replacing the 
O-operator by the P and F operators respectively. All remarks underlined in 
Section 4.2 about prioritizing defaults formalizing translation rules hold also for 
defaults formalizing normative rules. Given the above definition we can repre- 
sent the norm that consent is required in order to perform a transplantation, 
as follows: 


OiConsent □ iPtransplant 



At this point, it is worth remarking that translation rules and normative rules 
share the same type of defeasibility. This representational choice captures an 
important analogy which we deem to subsist between the two types of rules 
composing institutions: 

— Translation rules connect truth on a level to truth on a more abstract level, 
and this connection takes place in a defeasible way. . 

— Normative rules connect truth on a level to ideality on another, possibly the 
same, level, and also this connection takes place defeasibly. 

That connection is what they share and what we represented here by means of 
normal defaults 11 . 

Within this fr am ework, definitions of abstract and concrete normative rules, 
representing respectively abstract and concrete norms, can be also stated: 

Definition 3. (Concrete Normative Rules) 

A concrete normative rule is a default DjA □ jO (B) s.t. there is no default 

□^(7 □*.£) with h < k s.t. A = D and i = k or B = D and j = k. 

Definition 4. (Abstract Normative Rules) 

An abstract normative rule is a normative rule which is not concrete. 

In the next section we put this articulate framework at work, providing the 
reader with an example. 

4.4 An example 

The example we are going to model is chosen again from [8, 16]. 

Example 1. (Personal data in severe criminality registers) 

Part of the abstract norm “ the inclusion of personal data in a severe criminality 
register occurs only when it concerns: a) suspect of crimes; b) etc." can be 
modeled as follows: 

□o (personal (datum) A suspect(datum)) D C P include(datum ) 

Part of the concrete norm “personal data are financial and corporate data; data 
concerning nationality; etc." might be represented as follows: 

O c (nationality (datum) A suspect(datum )) D C P include(datum ) 

The translation rule “ personal data are financial and corporate data; data con- 
cerning nationality ; etc." is representable as follows: 

O c nationality (datum) D a personal (datum) 


where c < a. 


11 In this respect, our approach is close to the proposal in [11], though we carried it out by means 
of different formal tools. 




The first norm is more abstract because it operates between level a and level 
c. The second one is instead more concrete. The connection among the two 
of them is expressed by the translation rule connecting c to a with respect 
to the states of affairs nationality (datum) and personal(datum) 12 . It may 
be worth noticing, a reasoning pattern straightforwardly available on the ba- 
sis of this representation: assuming O c (nationality (datum) A suspect(datum )) , 
by means of default O c nationality (datum) □ a per sonal(datum) and va- 

lidities for □, we can infer O a (personal(datum) A suspect (datum))] we can 
then infer the normative consequence D C P include(datum) by means of default 
O a (personal(datum) A suspect(datum)) D C P include(datum) 13 . 

5 Institutions defined formally 

On the basis of the formal analysis just presented we are now in a position 
to provide a formal definition of the concept of institution in terms of default 
theories. However, before getting to this, a related issue should be considered, 
that is: how to rigorously relate institutions and levels of abstractness. In other 
words, at what level of abstractness does the institution end? If one includes 
only the levels explicitly specified for the institution, then the norms possibly 
coming from more abstract levels would not come to belong to the institutional 
theory. I.e. if i < j and j is a level that does not belong to the institution then 
the norms operating on level j also are not “inherited” by the institution. On 
the other hand, incorporating all levels of abstractness connected to the levels 
explicitly defined within the institution would include the complete layering in 
which the institution is merged. 

We therefore choose to propose two definitions, one corresponding to an 
“explicit” view on institutional theories and one corresponding to the “implicit” 
one. 

Let us consider the default theory T = (F, U Dt,-<n U -<t), i-e-i a 
default theory for both translation and normative rules, and let L be the set 
of abstractness levels and < their ordering. Let then Lj be the set of levels of 
abstractness on which institution I works. Let then < jq be the sub-ordering of 
< on Li. The following definitions can be stated. 

Definition 5. (Explicit Institutional Theories) 

An explicit institutional theory I expl is defined as a triple (iVj,Tj, -</) where: 

Nr = |J N 

ieLi 

with Ni = {UTA -w DjO B | DjA OjO B e D n & • j € Li}. And where: 

Ti=[jT, 

i£Lp 


12 Notice that we presupposed the state of affairs include(datum) to be a concrete one. 

13 Notice that this argument is nothing but a normal defaults proof. 



with Ti = {□ i ,4 OjB | □ iA -w OjB E D T & j G L/}. The third element 
of the triple consists in the prioritization ordering U -<t on defaults in 

Nj and Tj. 

Intuitively, an institution is described as the set of all normative and translation 
rules defined between the levels explicitly belonging to that institution. 

Definition 6. (Implicit Institutional Theories) 

An implicit institutional theory P mpl is defined as a triple ( ,-< */) 
where: 

N*i = NiU\jN k 

k£L 

with Njc = {DfcA OiO B | ^ djO B G Dn Sz 3j G Lj^j < &}. And 

where: 

T*i = Ti U I^J T fe 

keL 

with Nfc = OiB | Clfe-A D iB G Tn & 3j G Lj,j < /c}. The third 

element of the triple consists in the prioritization ordering -< *i Q-<n U ~<t on 
defaults in N*i andT*j. 

Intuitively, an implicit theory of an institution I is nothing but a sort of closure 
of the explicit theory I expl of I along the abstractness ordering <, leading the 
explicit theory to incorporate every normative and translation rules defined 
between more abstract levels than the levels explicitly belonging to I. Prom 
definitions 5 and 6 obviously follows that: Nj C N*j and Tj C T*j. Let us 
consider now a simple example excerpted again from [26]. 

Example 2. (Rules inheritance within institutions) 

In order to extract an organ from a living donor each hospital in Spain ought 
to ascertain the legal age of the donor. The state of affairs legal -age is not 
a concrete one; let the level of abstractness it holds on to be S3. The institu- 
tion “hospital in Spain” Is inh erits a rule from Spanish general law according 
to which legal-age supervenes On being -eighteen -year s-old. Neither this last 
state of affairs can be properly seen as concrete; let its level be s 2 . Then the 
institution “Valencia hospital” Iy contains another rule according to which 
being -eighteen-year S-old supervenes on ID-testifiesJegaljage. This can be 
deemed as concrete; let its level be Si- We then have three ordered levels and 
two institutions constituted by rules operating on those levels. One institution 
is general, namely Is, and it works between levels Si, s 2 and S3, the other one, 
namely Iy, is more particular and it operates between Si and s 2 . 

Theory Ig Xpl would be a triple (N S) Ts, -<s) such that: 

□ Sl extract □ S2 0 (being -eighteen-year s-old) G Ns, 

D S2 being -eighteen jy ear S-old D S3 legaLage G Ts 



Theory Iy pl would instead be a triple (N v , TV, -<v) such that, basically: 

□ Sl [I D -testifies JegaLage) 0 S2 (being -eighteen jy ears.* old) e Ty. 

To understand the sense of this rule in the context of Iy it is necessary to 
consider the explicit account r™ pl of this institution: (N*y,C*y,A *y). We 
then obtain what follows: 

D Sl extract □ $2 0 [being .eighteen-years -old) 6 N*y , 

0 S2 being-eighteen.years-old 0 S3 legal.age € T*y 

This means that Iff pl and I e <ff pl share something: in this case N *y C\Ns ^ 0 
and T *y fl Ts f 0. This exactly shows how Iy inherits rules from Is , and more 
noticeably how Iy concretizes norms belonging to Is by means of translation 
rules. 

6 Reasoning with Institutions 

In this section we show how our formal approach to institutions, that led to 
Definitions 5 and 6, can be straightforwardly merged in formal argumentation 
frameworks specifically developed to account for legal reasoning, such as [24, 
20,22]. This will display some guidelines on how to enable articulate reasoning 
patterns within our approach. 

Logical systems for argumentation formalize “a particular group of patterns 
of inferences, namely those where arguments for and against a certain claim 
are produced and evaluated, to test the tenability of the claim” ([23]). In [24] 
an argumentation framework is presented, which is based on normal default 
logic and which accounts for reasoning with both what we called, in Section 
2, regulative and constitutive norms of normative systems. Within this setting, 
the central concept on which the argumentation system is based is the concept 
of deontic context , that is, a set of facts on which the set of default rules can 
be applied inferring the relevant normative consequences to that set of facts. 
In that work, anyway, no attention is given to the issue of abstractness and 
concreteness of norms, and consequently the logic on which default theories are 
built upon is just a standard deontic logic system KD. Defaults are therefore 
rules of this type: A B and A O B. If we assume the multi-modal system 
exposed in Section 4.3 as the logic on which to apply normal defaults, and 
recalling Definitions 5 and 6, this useful notion can be adapted to our approach 
and modified as follows. 

Definition 7. (Institutional Contexts) 

An explicit institutional context X expl = (F,I expl ) consists of a set F of propo- 
sitional sentences on a language C LO , and an explicit institutional theory I expl . 
An implicit institutional context I impl = [F,I impl ) consists of a set F of propo- 
sitional sentences on a language C LO , and an implicit institutional theory P mpl . 



By me ans of these notions of institutional contexts, scenarios in which an in- 
stitution I is made operative on the set of facts F can be formalized: through 
the rules of which institution I consists normative consequences at different 
levels of abstractness can be defeasibly established from F. The whole formal 
argumentation machinery exposed in [24] can then be put at work on insti- 
tutional contexts instead of on deontic contexts, thus providing definitions of 
the notions of: argument, conflict and defeat relations between arguments, and 
justified, defensible and overruled arguments 14 . 

Analogous observations can be carried out in relation with the argumenta- 
tion framework for legal reasoning presented in [20, 22], which is also based on 
normal default logic and therefore, in principle, perfectly suitable to handle our 
notion of institutional theory. 


7 Conclusions and Future Work 


In this work we discussed the problem of incorporating abstract norms into 
institutions that regulate the interactions between agents. We have shown by 
means of several examples that the level of abstraction of the norms is differ- 
ent from that of the procedures operating the institution. For this reason it 
does not suffice to just formalize the norms and procedures and then validate 
or verify the procedures against the norms. We therefore proposed to use ex- 
plicit translation rules (formalized by normal defaults), corresponding to the 
so-called constitutive rules in legal and social theory, to formally characterize 
this translation. In order to capture the idea of a translation from the abstract 
level to the concrete level we chose to represent those levels explicitly, modeling 
them as contexts. Translation rules played then a kind of bridging role between 
levels/contexts. 

Two research lines are particularly worth investigating in order to further 
develop the results presented here. First, as underlined in Section 2.2, an ade- 
quate understanding of the relation of implementation of a set of norms via a 
set of procedures deserves an accurate analysis in order to fully understand how 
nor ms are translated to an operational dimension, and therefore how institu- 
tions are instantiated by specific organizations. Secondly, although the logical 
formalism proposed gives the tools to describe the relations between norms on 
different abstraction levels, it does not in itself account for the restrictions which 
apply to this relation. As already noticed in Section 3.1, “wearing a red hat” 
is probably not acceptable as an implementation of “consenting for organ do- 
nation” , or analogously the “daily temperature” can not count as a “personal 
datum”. We intend to use formal ontological descriptions to account for this 
kind of restrictions constraining translation rules. 


14 For an exhaustive account of the role of these concepts in argumentation logics we refer to [23]. 
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1 Introduction 


A normative system is defined as any set of interacting agents whose behav- 
ior can usefully be regarded as norm-directed [9]. Most organizations, and more 
specifically institutions, fall under this definition. Interactions in these normative 
systems are regulated by normative templates that describe desired behavior in 
terms of deontic concepts (obligations, prohibitions and permissions), deadlines, 
violations and sanctions. Agreements between agents, and between an agent and 
the society, can then be specified by means of contracts. Contracts provide flex- 
ible but verifiable means to integrate society requirements and agent autonomy, 
and are an adequate means for the explicit specification of interactions [14]. 
From the society perspective, it is important that these contracts adhere to the 
specifications described in the model of the organization. If we want to automate 
such verifications, we have to formalize the languages used for contracts and for 
the specification of organizations. 

In [13] we presented the logic LCR, which is based on deontic temporal logic. 
LCR is an expressive language for describing interaction in multi- agent systems, 
including obligations with deadlines. Deadlines are important norms in most 
interactions between agents. Intuitively, a deadline states that an agent should 
perform an action before a certain point in time. The obligation to perform the 
action starts at the moment the deadline becomes active. E.g. when a contract 
is signed or approved. If the action is not performed in time a violation of the 
deadline occurs. It can be specified independently what measure has to be taken 
in this case. 

In previous work, we have advocated the use of declarative deadline specifi- 
cations, as it facilitates the check for compliance to a deadline and enables rea- 
soning about norms before the planning process detennines the next sequence 
of actions [5]. In this paper we investigate the deadline concept in more detail. 

The paper is organized as follows. Section 2 defines the variant of CTL we 
use. In section 3, we discuss the basic intuitions of deadlines. Section 4 presents a 
first intuitive formalization for deadlines. In section 5, we look at a more complex 
model for deadlines trying to catch some more practical aspects. Finally, in 
section 6 we present issues for future work and our conclusions. 
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Preliminaries: CTL 


The reader can find the definitions for the branching time logic CTL in the 
literature (e.g. [3, 7, 4]). But, since we need a specific variant of the until operator, 
we define CTL here explicitly. 

Well-formed formulas of the temporal language £cTL are defined by: 

<p, Vs . . . := p | -i (p | <p A 'ip | Ea. | Aa 
a,/?, . . . := (pU e ip | Xtp 

where <p, V> represent arbitrary well-formed formulas, and where the p are 
elements from an infinite set of propositional symbols V. Formulas a,/?, . . . are 
called ‘path formulas \ We use the superscript V for the until operator to denote 
that this is the version of ‘the until’ where p is not required to hold for the point 
where V>, i.e., the point where (p is excluded. However, the present state is not 
excluded, which means that our until operator is reflexive. This gives us the 
following- informal meanings of the until operator: 


E(pU e, ip) : there is a future for which eventually, at some point m, the condi- 
tion rp holds, while <p holds from now until the moment before m 

We define all other CTL-operators as abbreviations. Although we do not use 
all of the LTL operators X, F, and G in this paper, we give their abbreviations 
(in combination with the path quantifiers E and A) in terms of the defined op- 
erators for the sake of completeness. We also assume the standard propositional 
abbreviations. 

EF<p = def E(TU e <p) AG<p ~def ~'EF-np 

AF(p = de f A(TU e ip) EG<p ~def -'AF-xp 

AfyUifi) = de / A((pU € (<p A f/,)) E(<pU ip) = def E(ipU e (ip A VO) 

The informal meanings of the formulas with a universal path quantifier are as 
follows (the informal meanings for the versions with an existential path quantifier 
follow trivially): 


A{pU^) • for all futures, eventually, at some point the condition ip will hold, 
while (p holds from now until then 
AX<p : at any next moment <p will hold 
AFp : for all futures, eventually <p will hold 

AG p : for all possible futures (p holds globally 

A CTL model M = (S, 7£, 7r), consists of a non-empty set S of states, an 
accessibility relation 7Z r and an interpretation function n for propositional atoms, 
A full path cr in M is a sequence a = So,Si,S2,. ■ * suc -d f° r evei T * ^ 0> 
Si is an element of S and SiR,Si+i , and if a is finite with s n its final situation, 
then there is no situation s n +i in S such that s n 'JZ$ n + 1 . We say that the full 
path a starts at s if and only if sq = s. We denote the state s* of a full path 



a = so, si, S 2 , - - . in M by cr*. Validity M, s |= <p, of a CTL-formula <p in a world 
5 of a model M — (S,T 2 ., 7 t) is defined as: 


M, s f= p s € ?r(p) 

M, s -up o not M, s f= <p 
M, s f= <p A M, 5 f= <p and M, s 

M, s f= Ea 3cr in M such that 

M, s j= Aa <=> Vcr i n M such that 

M, cr, s j= X(f & M,(?i )= p 

M, cr, s [= <p[7 e t/? 3n > 0 such that 

( 1 ) M y cr n }= ^ and 

(2) Vz with 0 < i < 


ao — s and M , cr, s j= a 

cr 0 = s it holds that M , a, s (= a 


n it holds that M, cq [= <p 


Validity on a CTL model M is defined as validity in all states of the model. If 
<p is valid on a CTL model M, we say that M is a model for <p. General validity 
of a formula <p is defined as validity on all CTL models. The logic CTL is the 
set of all general validities of £ciL over the class of CTL models. 


3 Basic choices for the formalization of deadlines 

In this section we study some choices to make when developing a formal model for 
deadlines. The deontic aspect of deadlines is formalized by introducing a set A of 
agent identifiers and a propositional constant Viol(a) for each a 6 A in ^CTL* 
The general idea is that the violation condition holds (i.e., the propositional 
constant Viol (a) is true) at those moments where agent a violates a deontic 
deadline. This enables us to reason about violations explicitly, and about what 
to do if they occur, which is a distinctive feature of deontic reasoning. We model 
deadline conditions as propositions. This seems a reasonable choice given that 
we do not want to model a deadline in a logic of explicit time (real time). Our 
view is more abstract, and a deadline is simply a condition true at some point 
in time. We use the symbols <5 and 7 to denote deadline propositions. 

Although the basic idea of a deadline is very simple it appears that the 
details are intricate. We suggest that one of the reasons is that in order to 
model deadlines, we need to model a causal relation between non-fulfilment of an 
obligation and, so called, ‘violation conditions’. Causal relations are notoriously 
hard to formalize. Figure 1 pictures the situation. 

The figure shows several possible futures from a point where a deadline is in 
force. In some futures the required action does not take place and a violation 
results after the deadline is reached. For other futures, the action does take place 
before the deadline is reached, and no violations appear after the action. 

We denote a deadline for agent a saying that it is obliged to achieve the 
condition p before 6 holds, by the formula O a (p < <i). We will give a formal 
definition of the semantics of this formula after, in the next sections, we have 
discussed some basic choices to make. 



p 



Fig. 1. The semantics of deadlines 


3.1 Do obligations persist after the deadline? 

A first distinction we make is between deadline obligations that are discharged 
by a failure to meet the deadline, and deadline obligations where the obligation 
is not discharged at the deadline. For a deadline of the first type it makes no 
sense to perform the action after the deadline passes. E.g., submitting a paper 
after the deadline of a conference has no effect. An example of the second type 
is the situation where one has to pay a fine for some traffic offense by the end 
of the month. Also when one does not pay, the obligation to pay persists (see 
also the work of Brown on ‘standing obligations’ [2]). Yet another category are 
the ‘repetitive obligations’, where the same deadline obligation is repeated over 
a period of time. For example monthly mortgage payments. 


3.2 What if the deadline is never or immediately met? 

We first consider the case where 5 equals _L. Clearly, _L is a condition that will 
be 'never met. A natural question is, whether it is actually possible to have a 
deadline obligation for a deadline that never occurs. One could choose to say that 
this is impossible, which leads to the optional property (1) j= ^O a {p < -L). This 
is the case for our deadline definition is section 5, because, in the definition given 
there, we assume that a deadline obligation can only be in force if the deadline 
condition actually occurs at some point in the future. Another possibility is to 
say that for any condition p such an obligation is actually always valid, but void, 
i.e, without any ‘force’. This corresponds to the property (2) \= O a (p < J_). Such 
obligations can be considered void, because they cannot be violated; since the 
deadline never occurs, there will never be a point in time where non-compliance is 
evaluated. It might be argued that a similar situation occurs in standard deontic 
logic [15], where we have j= 6>T, which corresponds with the void obligation for 
a tautology (also something that can never be violated). Our formalization in 
section 4 satisfies this property. 

Obviously, the third possibility is that neither property (1), nor property (2) 
is satisfied. For instance, one could argue that an obligation for a deadline that 
never occurs, i.e., O a (p < T), is not void, but should be interpreted as follows: 
the impossibility of the deadline condition means that the deadline is ill-defined, 



but this does not imply that the agent is free to postpone his duty forever: he 
has to comply at some future point anyway (where that point can be arbitrarily 
far in the future). The corresponding formula is: (3) |= O a (p < ±) — ► AFp. 

Now consider the case where 5 equals T. This means that the deadline con- 
dition is met trivially, in the current state. One possible view is that in this case, 
we can still comply to the obligation by ensuring that also p is met in the current 
state. The corresponding property is: (4) j= O a (p < T) — ► Viol(a) V p. 

Alternatively, we might argue that it is impossible to comply to a deadline 
for which the deadline condition is true now . For an agent, it takes some time 
to decide whether or not to comply, and to bring about the condition p the 
obligation is concerned with. Then, if the deadline condition is true now, there is 
no time left for this process, and the agent will inevitably violate the obligation. 
In our definitions of section 4 and 5, we take this aspect into account. The 
corresponding property is (5) j= O a {p < T) — ► FioZ(a), which is satisfied by 
the deontic deadline definition in sections 4 and 5. Note that under this view, 
the violation is not avoided if accidentally the condition p is true in the present 
state. This is because under this view, conditions are linked to agents that bring 
them about, which is a decision they make in the previous state, as we explain 
later on. 

Finally one short comment about the thought that we have to account for 
the situation that a deadline condition might have been true in the past. Clearly 
we do not have to consider this situation, because it is impossible to have an 
obligation to do something before something that occurred in the past. 

3.3 What if the accomplishment is accidentally, never or trivially 
achieved? 

First we address the question whether it counts as compliance to a deadline 
obligation when the condition that is obliged occurs ‘accidentally’. It is possible 
that the state p occurs without any effort or intention of the agent for whom 
the obligation holds. E.g. if a person is obliged to write the introduction of a 
paper, fails to do so, but a co-author writes the introduction (because he is 
tired of waiting for that person). Did the person fulfill his obligation or not? If 
obligations are personal, should it not be the case that also the achievements p 
are personal? After all, we do not want that if another agent, or ‘nature’, brings 
about the achievement, the agent with the obligation has complied. We encounter 
a basic choice to make here. If we do not want our obligations to be personal, we 
do not have to personalize the achievements. But, if we do want our obligations 
to be personal, we somehow have to link achievements to agents. There is a vast 
amount of literature about personalizing the achievement of conditions [10, 1, 
8,6]. Usually, such theories are called ‘logics of action and/or agency’. Inspired 
by the work of Porn [10], we use the stit operator E a p, to denote that agent a 
achieves condition p. A difference with the stit operator of Pom is that in our 
temporal setting, performing a ‘seeing to it’ action takes one time-step. That 
is, our stit-operator obeys E a p — * Xp, and not (= E a p — ► p, which holds for 

most other agency operators. 



Our next question concerns the case where the achievement can never be 
reached. For instance, one might think of a personal obligation for a condition not 
under control of an agent. An example is the condition J_. Again, a first option 
is to say that obligations of the form 0 a (_L < <5) are impossible or inconsistent. 
After all, it seems reasonable to take the position that one can never be obliged 
to achieve the impossible. This leads to the optional property (6) (= “ i O a (_L < 
£), which is similar to standard deontic logic’s D-axiom -»0_L [15]. However, 
we might also take the position that one can have an obligation to achieve 
the impossible. But, since 0 a (-L < <5) expresses that we have to achieve the 
impossible before the deadline condition 6 occurs, we have to conclude that this 
leads to the view that there will certainly be a violation whenever 5 occurs 
for the first time. This leads to the optional property: (7) [= O a (J_ < <5) — > 
->E(-^6U e (6 A ^Viol(a))). 

Finally we consider the case where the accomplishment is T. How to deal with 
this situation depends on whether we consider the obligation to be personal or 
not. As discussed, for' the personal case, we have to use an agency operator. 
In most logics of agency, T cannot be achieved by any agent (|= ->E a T). This 
motivates the optional property (8) (= ->0 a (T < 5 ). However, if obligations are 
not personal, this is not necessarily intuitive. At this point we might not want 
to digress from standard deontic logic, where the obligation for a tautology is 
always valid. Thus we have the optional property (9) \= 0 a (T < J). 


4 A simple formalization 

After having discussed some choices for modelling deadlines in the previous 
section we will present a first logical formalization. 

As mentioned, E a p indicates that the agent a sees to it that p becomes true. If 
E a p is true at some point in time, then p is true at the next point in time. We use 
the symbols p and a for propositions that embody some kind of accomplishment 
being established before a deadline condition occurs. 

Let M be a CTL model, s a state, and a — oo, cr 1} 02 , . . . a full path in M. 
A straightforward modal semantics for the operator O a (p < S) is then defined 
as follows: 

M ) s |= O a (p < J) o Vcr with ao — s, Vj : 
if M , <Tj |= S 

and Vi with 0 < i < j : M, di \= ~^E a p, 
then M, crj |=VioZ(a) 

This says: if at some future point the deadline occurs, and until then the 
result has not yet been achieved, then we have a violation at that point. This 
semantic definition is equivalent to the following definition as a reduction to 
CTL: 


Oa(p < S) Sde/ ~^E{^E a p U e (S A ^Viol(a))) 



This formula just expresses the negation of the situation that should be 
excluded when a deontic deadline is in force. In natural language this negative 
situation is: ‘<5 becomes true at a certain point, the achievement has not been 
met until then, and there is no violation at 5\ This shows that it is fairly easy 
to show the equivalence of the semantic definition and the definition in terms of 
CTL (details left to the reader). The above defined deadline operator persists 
after reaching the deadline, and satisfies properties 2, 5, and 7 discussed in the 
previous section. 

However, despite the nice properties and the simple and elegant represen- 
tation of the concepts, the definition does not cover the intuitions of figure 1 
completely. This becomes apparent when we look at a situation in which an 
agent a achieves p before a certain condition 5 becomes true. Whenever this 
appears to be true it follows that a has the obligation to achieve p. I.e., the fact 
that an agent will achieve something implies that he is obliged to achieve it. 

We suggest that the source of this problem might be that we have failed to 
formalize the ‘causal link’ that intuitively relates failures to comply to the obli- 
gation and occurrences of the violation condition. In the truth condition above, 
we have only dealt with one direction of the implicative relation between non- 
compliance and violation: we have captured that when there is non-compliance, 
there is also a violation. But we have failed to capture a reverse implicative 
direction saying that only if there is non-compliance there can be violations. 

In the next section we will propose an extended definition that tries to es- 
tablish this causal link between non-achievements and violations. 

5 The causal approach 

In [13] we have already attempted to capture some aspects of the causal link 
between non-achievement and violations. However that formalization did not 
force the condition that there can never be a violation of the obligation before 
the deadline condition holds. It also allows situations where p is achieved while 
there is still a violation after the deadline condition. Somehow we have to ‘close’ 
the possible worlds in a way that either we have the achievement and no violation 
after that or a violation and no achievement, before the deadline. In this way we 
approach most closely that the achievement of p causes the -» Viol (a ). 

The definition given below differs from the one in section 4 on three important 
points. First of all, for a deadline obligation to be valid, it now requires that the 
deadline condition actually occurs at some point in the future. A second crucial 
difference is that we strengthen the ‘if’ construction in the truth condition to 
an fif-and-only-if 5 condition, by which we attempt to capture the causal relation 
between non-compliance and violation. This £ if-and-only-if’ condition takes the 
form of a disjunction (the ‘or’ in the truth condition below) saying that either 
E a p holds (in time), meaning that there is compliance, or E a p does not hold 
before <5, in which case there is non-compliance. Note that the disjunction is 
exclusive, because either p is achieved or not, but not both. Finally, we require 
violations to persist ones they have occurred, and we require non- violations 



to persist when the achievement is accomplished in time, or if no deadline or 
achievement condition has yet occurred. 


M, s b O a {p < 6) iff Vcr with <xo = s : 3j > 0 : 

M, dj (= S and VO < k < j : M, (Jk ^ ~^Viol(a) A -><5 and 

(30 < k < j : M, ak 1= P a /> A AG-Viol{a) or 

(VO < fc < j : M, (7/c 1= -»P a p and Af, Oj b AG yfo^a))) 

We can express this semantic definition in terms of a CTL formula as well: 


O a (p < 6) ~def A( 

(-. Viol(a)A-i6)U e 6A 

(-^SU e {^S A E a p A AG-iViol(a))V 

i(Sr>E a p A - S)U e (6 A AG Viol{a)))))) 

The lines of the formula correspond to the lines of the truth condition. The 
second line expresses that S becomes true at a specific point in the future, that 
we consider the first time this happens, and that there cannot be a violation 
of the obligation until then. The third line expresses one side of the exclusive 
disjunction, saying that E a p occurs before the first 6> and that there cannot be a 
violation afterwards. The fourth line expresses the other side of the disjunction, 
saying that E a p has not occurred before the first 6, and that starting from the 
point where <5, violations persist forever. The latter condition expresses that the 
information that the obligation is violated, is preserved. 

In the’ above definition, the obligation is always discharged by the occurrence 
of a deadline condition. So, for this variant, the obligation does not persist until 
after the deadline. Furthermore, the definition obeys the properties 1, 5 and 7 
of section 3. 

6 Practical aspects of deadlines 

In this section we briefly discuss a few aspects that start playing a role when 
looking at more concrete aspects of deadlines. 

The first aspect is the violation constant. In this paper the Viol constant 
has only one parameter, the agent a. However, we would actually like to tie the 
violation to a specific obligation incurred at a specific moment in time. This 
is necessary to distinguish two obligations for the same agent that might only 
differ in the timing. E.g. the obligation to pay the rent before the end of the 
month occurs every month. But each month it is a different obligation. This 
can be achieved through the addition of a unique identifier for each obligation. 
This definition provides a very operational means to deal with violations, as it 
gives explicit information about what has caused the violation and can therefore 
enable to reason about what are the consequences and sanctions related to the 
violation. 

However, at the same time this unique identifier would eliminate any logical 
relations between obligations that are connected, E.g. someone might have an 



obligation to pay a conference fee while (due to budget restrictions that became 
clear only later) it is from now on prohibited to pay for any conference. The 
two norms relate to the same person and have opposite effects on the action 
of paying. However, if each would be modelled with a violation constant with 
a different identifier they could not be related and the intuitive contradiction 
between the two would not exist. 

As a solution to this problem we could introduce violations that have the 
same parameters as the obligations to which they are linked. In this way it 
becomes possible to specify logical relations between violations of which the 
actor, the deadlines and the situation to be achieved are related. However, this 
has as consequence that the violations are now also modal operators! 

A second point that comes up right away is which logical relations should hold 
between the violations? Do we have 

(V a (p<6)A{p'-+ P ))—*V a (p'<6) 

and/or 

(V a (p<6)A{6'^5))— >V a (p<6') 

Of course these properties are directly coupled to the properties that we would 
like to have for the obligation operator. A complete investigation into this issue 
warrants a separate paper and therefore will not be pursued here. However we 
would like to point to [11] for some related work in this area. 

Closely related to the above item is the point that we made violations (and 
non- violations) persistent over time. Once a deadline is violated, this violation 
will never disappear again. This seems a bit contradictory to common practice 
where sanctions are defined as obligations, conditional on the occurrence of a 
violation, in order to make it possible for violations to be redeemed. So, we make 
a difference between a violation that has not been ’’made up for” yet and one for 
which a sanction has been exercised already. This aspect could be modelled by 
not having the violation persistent, but have an axiom that triggers a sanction 
(obligation) whenever a violation occurs. 

A second item that is important in practice is that obligations are often 
conditional and/or repeated. The above example on paying the rent is a very 
typical case of a repeated obligation. The whole obligation to pay rent, however, 
can be made conditional on the fact that the house is properly maintained by the 
owner. Related to this aspect is that more temporal conditions can be specified 
for the achievement. E.g. the salary should be paid between the 25th and the 
end of each month. 

Although we represent the deadline condition as a proposition in this paper, 
often it contains a relative temporal expression such as ”the book should be paid 
within one week after delivery”. In order to express this type of conditions one 
should have a more powerful language in which explicit reference to time can be 
made. 

A last item to mention here is the use of discrete time in our model. This is 
particularly important to decide on the exact moment when a violation arises. 
In a model with continuous time the achievement of a fact (an action) has to 



have a duration (whereas the achievement in our model is always in one time 
step). So the definition of E a p has to be changed. On the other hand we can in 
this model with continuous time determine a violation before the deadline if it is 
impossible to achieve the required state before the deadline condition anymore. 

7 Conclusions 

In this paper we have shown that the use of a violation constant is in principle 
enough powerful to account for the deontic aspect of the deadlines. Of course a 
temporal logic is needed to account for the temporal aspects. Finally we used 
the stit operator E a to relate the achievement of a state to an agent. This is 
important, because we consider the deadlines to be directed towards an agent 
and thus this agent has the responsibility to fulfill it. We do not use dynamic 
logic to model explicit actions in order to keep the model as abstract as possible. 
However, an obvious connection between the operator presented and dynamic 
logic can be made through the use of Segerberg’s bringing it about operator [12]. 

We have also shown that a correct definition of deadlines in the formalism 
requires a modelling of the intuitive causal relation between the occurrence of the 
action before the deadline and the violation state. This causal relation makes the 
formal definition of a deadline quite complicated, although the simple intuitive 
picture of the semantics (given in section 2) is still valid. 
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Abstract. The problem of MAS reliability is approached through representing 
the functioning of a MAS as a system of logical implications, and then inter- 
preting this system as a game of deterrence. The game solutions provide indica- 
tors for the agent’s reliability, and enable in case of an agent’s failure, to select 
a search direction for determining the origin of the failure. The MAS reliability 
is increased by duplicating some agents. The impact of the duplicate’s position- 
ing in the MAS is analysed on a particular case. 


1 Introduction 

Multi-agent systems are comprised of several entities, organized to work together in 
order to collectively solve problems. A system’s failure may occur because of one 
component’s failure, which propagates throughout the agent network. Conversely, the 
occurrence of a particular agent’s failure may have different reasons. 

First, the source of an agent failure may be internal, i.e. occur because one of its 
elements, doesn’t work properly. It is then possible to, either remove the agent from 
the system and physically replace it by an equivalent one, or simply by-pass it, the 
taskflow running through some alternate device or agent. 

This would be the case for instance if two similar agents work in parallel, their 
workloads being shared. Assume that agent A breaks down. If the work load has been 
properly dimensioned on the basis of both the total inflow and, say, the probability of 
an agent failure, then agent B can add to its own load, agent’s A load, at the possible 
cost of some delay. 

But the source of the agent failure may also be external, i.e. one of the neighbour- 
ing agents at least, doesn’t function properly. If the neighbouring agent failure comes 
itself from the failure of an agent which is neighbour to this neighbouring agent, find- 
ing the ultimate source of the system’s failure, implies developing some recursive 
process, and hence building some causality chain. 

An interesting case is the one when failure derives from a specific state of the 
agent, incompatible with given states of neighbouring agents. 



This is of course just a particular case of the more general inference problem, that 
has been addressed using different techniques like finite state machines, cognitive 
maps, qualitative probabilistic networks, or structural analysis [1,2,6]. 

In line with our previous developments on multi-agent systems, we propose here to 
model inference by using the game of deterrence approach in the fuzzy case. 

On the one hand, this approach will match the finite state machine approach, while 
on the other it will provide an inference system that will give an assessment of the role 
of a particular agent in the well- functioning, or on the opposite, ill-functioning of 
another agent. 

We shall begin by recalling some basic games of deterrence definitions before as- 
sociating these games, through graphs of deterrence, with systems of logical implica- 
tions. 

We shall then see how introducing fuzziness in the strategies playabilities leads to 
the development of an inference network, such that each node is associated with an 
inference value, based on the playability index associated with that node. 

The method will be illustrated with two examples. The first one will consider the 
elementary case, where no internal failure occurs. The second, generalizing the first 
one, will introduce the possibility of internal failures. 

Eventually, we shall propose on a particular example of Multi-Agent System, a 
straightforward method to find the origin of an agent’s failure. 


2 Deterrent agents and games of deterrence 

Deterrent agents can only distinguish between two states of the world : acceptable 
(noted 1) and unacceptable ones (noted 0). All that they want is to be in an acceptable 
state. 

If they have a strategy that guarantees them an acceptable situation, whatever the 
other agents do, they should by all means play it because it is safe. But this is not 
always the case. Sometimes selection of a strategy could put them in an unacceptable 
situation if other agents would select some particular strategies. In that case the strat- 
egy is clearly dangerous. But that does not mean that it is not playable. Suppose for 
instance that Erwin and Roger are agents such that, when Erwin and Roger select the 
strategic pair (e,r), Erwin gets a 0, and Roger’s strategy r is not playable. Then, e is 
playable albeit dangerous. We shall say that e is positively playable. 

In the case where Erwin has no positively playable strategy since he has to take a 
decision, any strategy will do, albeit poorly. We shall then say that such a strategy is 
playable by default . A strategy neither positively playable nor playable by default will 
be termed not playable . 

Moreover, we shall say that Erwin’s strategy e is deterrent vis-a-vis Roger’s strat- 
egy r if the three following conditions apply : 

1) e is playable 

2) implementation of strategic pair (e,r) leads to an unacceptable situation for Roger 



3) Roger has an alternative strategy r’ which is positively playable 

It has been shown [3] that a strategy r of Roger is not playable if and only if there is 
a strategy e of Erwin deterrent vis-a-vis r. 

Let us illustrate these concepts with the following elementary example. 



1*1 

r 2 

e t 

(i,D 

0,1) 

e 2 

(U) 

(1,0) 


We see that both strategies of Erwin and strategy ri of Roger are safe, while r 2 is 
dangerous. Furthermore e 2 is deterrent vis-a-vis r 2 , which is thus not playable. 

Now it has been shown [ibid] that every matrix game of deterrence can be associ- 
ated with a bipartite graph such that, if (e*r) is a strategic pair, then there is an arc of 
origin e (resp.r) and extremity r (resp.e) if and only if the outcome of Roger (resp. of 
Erwin) is 0. 


3 Associating a system of logical implications with a game of 
deterrence. 

Causality problems analysis usually resorts to an oriented graph representation such 
that, given an arc linking two concepts, its origin is a causal factor of its extremity. 

We propose here to revisit the problem by bridging causality with games of deter- 
rence, through the common graph approach. 


3.1 Logical representation of a game of deterrence 

Given a two player game of deterrence, let us consider the following set of logical 
formulae : 

1) A finite set of propositions £(s) indicating that a strategy s is a playable strat- 
egy 

2) A finite set of propositions J(s) indicating that a strategy s is a positively 
playable strategy 

Only a particular set S of formulae will be used for this representation: 

(i) propositions and negations of propositions as defined above; 




(ii) 


logical implication built on these elementary formulae. 


3.2 Non fuzzy graph of deterrence and representation of a logical system 

To build the graph associated with a given set of S of formula, consider the following 
implication P => ->Q, denoted by N(P,Q) 

With each subset Si of formulas, we can associate a bipartite graph defined as fol- 
lows : 

1 . the graph vertices are propositions or negations of propositions 

2. arcs are pairs of formulas (P,Q) such that N(P,Q) is true 

3. If P Q denotes the arc of origin P and extremity Q, 
then P — » Q iff P => —Q , 

Then, as P => Q writes NfP, -.Q), P => Q can be represented by the path 

P — » Q -* Q iff P => Q is true (since obviously -iQ => — >Q is true). 

As Q and Q are both vertices of the graph, and hence represent two strategies, we 
must add a consistency condition which discards the game of deterrence solutions for 
which both strategies are playable. This condition will provide a safe strategy for 
player II, implying that -i Q is not playable, and that Q is. 

This can be done by adding to the set Si, the proposition -» (-» Q . Q) called first 
order consistency condition for Q , which defines a vertex with neither predecessor nor 
successor in the graph. 

We can then associate with the set S/ - Si u { — * ( — » Q , Q)} a matrix game of.de- 
terrence G with two abstract players I and II such that : 

1 . {P,Q} is the strategic set of player I 

2. {->(-. Q , Q), -i Q} is the strategic set of player II 

3. The graph here above is the graph of deterrence of G 

4. with every strategic pair (X,Y) we associate the binary outcome pair 
(a(x,y),b(x,y)) such that a(x,y) = 1 (resp. b(x,y) = 1) unless there is an arc of 
origin Y (resp X) and extremity X (resp Y). 

In other words, implication P ^ Q is equivalent to the above game of deterrence. 

This conclusion can be extended straightforwardly to any set of bivalent implica- 
tions. 


3.3 Fuzzy graph representation of a logical system. 

Similarly, for every set \p L of propositions of a bivalent logical system L, there exists a 
unique fuzzy matrix game of deterrence G such that \j/ L is the logical representation of 
G. 



Indeed, the construction procedure introduced above is still valid, since the only 
difference between fuzzy and non fuzzy matrix games of deterrence lies in the do- 
mains of playability and positive playability indices, the matrices being the same. 

The correspondence between \\f L and G is derived from the matrix, with the excep- 
tion of the consistency condition, which does not provide here a safe strategy for 
player II, but a circuit or more generally a graph with no paths (i.e. no roots). 

Such a consistency condition, which will be called the second order consistency 
condition for Q, must ensure absence of contradiction on the one hand, and the possi- 
bility of non binary values for positive playability indices on the other. 

Consider for instance : {N(-> (— < Q . Q), (-. Q . Q)) ; N((-i Q . Q)}, — ' (—> Q . Q))}> 

which, in terms of graph representation, is equivalent to the circuit : 

— > ( — ■ Q - Q) ( — • Q - Q) 

This second order condition introduces not one, but two extra strategies that are ad- 
jacent vertices of a graph of deterrence. Therefore, we need to allocate each one of 
them to a different player. 

For the sake of simplicity, let us denote (-. Q . Q) by a, and -n (-» Q . Q) by a’. 

It is clear that on the circuit J(a) = (1-J(a’))v and J(a’) = (1-J(a))v, where v = l-j n 
and j n is the index of playability by default of player II 1 . 

Solving this elementary system of two equations leads straightforwardly to : 

J(a) = J(a’) = v / (1+v) 

Consequently, a and a’, having the same positive playability, may be associated 
with either player, provided of course that both are not allocated to the same player. 

It stems from the demonstration here above that this result does not depend on 
which particular strategy has been selected to build the second order consistency con- 
dition. In turn, this means that a variety of such conditions can be chosen, depending 
on the particular case under consideration. 

It also means that with each vertex X, which is not a root of the graph, we shall as- 
sociate a second order consistency condition for X, defined by a circuit comprised of 
two strategies, the positive playability value of which is v/(l+v). 


3.4 Example. 

Let us consider for instance the logical system defined by : P => Q => R 
The set of propositions can be translated into the following graph : 

P — > — ? Q — •> Q — > — iR — > R > — j ( i Q . Q) ( — i Q . Q) ; — > ( — > R . R) ( ■ R • R) 

It can be shown that there is a unique non binary solution for which : 

J(P) = 1 ; J(~> Q) = 0 ; J(Q) = .81 ; J(— ,R) = .16 ; J(R) = .68; 

J(-» (- Q • Q)) = J(- Q . Q) = J(i (-. R . R)) — J( — » R . R) - .45 


1 i,e.j n = 1 if positive playability indices of all strategies of player-II equal 0 



To analyze the exact meaning of these positive playability indices associated with 
logical propositions, we need to come back to the meaning of positive playability 
indices associated with strategies. 

More precisely, let us consider the case of a path. It has been shown that [4] : 
positive playability indices of strategies of odd rank decrease with the rank 
positive playability indices of strategies of even rank increase with the rank 
when-the length of the path tends toward the infinite, the value of the positive 
playability index tends toward .5 

The interpretation is quite straightforward. Given that the root is the only safe strat- 
egy for player I, the “likelihood” of player I selecting the root is very big. Therefore, 
the “likelihood” of player II selecting strategy 2 can be considered negligible. In turn, 
this means that the “likelihood” of player 1 selecting strategy 3, while being smaller 
than for the root (after all, selecting the root presents absolutely no danger, and it is 
the only strategy which displays this property), can be quite large. In turn, the “likeli- 
hood” of player II selecting strategy 4, although small (because the likelihood of 
player I selecting strategy is large), is bigger than the “likelihood” of player II select- 
ing strategy 2, and so on. 

How does this translate in the case where strategies are logical propositions ? 

The almost trivial idea that immediately comes to mind is that the above three- 
proposition system is nothing more than a causality chain. Consequently, if we limit 
the reasoning to the path once again (discarding the consistency conditions), the value 
of the playability index for the vertices of odd rank somehow describes the “inference 
value” of the root with respect to the other vertices. 

Considering the vertices of even rank, which represent the negations of the proposi- 
tions associated with the vertices of odd rank that follow, we can say the same. 

In more explicit terms : 

the effect of P on the occurrence of Q can be measured by J(Q), which in the 
above case equals .81 

- the effect of P on the non-occurrence of -.Q, can be measured by 1- J(-*Q), 
which in the above case equals 1 . 

The difference between these two values comes from the fact that -iQ and Q are 
vertices associated with different ranks on the graph. Although it might look weird at 
first, it seems that for Q to occur, it is not enough that P does, but one must moreover 
state that — iQ doesn’t. 


4 Application to MAS reliability : Example 1. 

As already stated, a failure at an agent level can diffuse throughout the network, caus- 
ing the failure of other agents, and possibly of the entire system. 

Moreover, it can happen that partial but simultaneous failure of different agents 
may generate identical phenomena. 


To avoid that, one usually resorts to a two step method : 

1) analyze the effect of the particular agent failure on the system 

2) redesign the system to improve its global reliability ' 

We propose to revisit that method, with the help of the above results. 


4.1 Example 1 : The three agent system with no internal failure. 

First, considering an agent network means considering an inference network. 

To give an elementary illustration, let us consider for instance an information line, 
with three agents, p, q and r, such that p transforms some input, then passes the trans- 
formed input to agent q, which does the same with agent r. It is clear that agent r, in 
order to be able to fulfil its task, needs to get the result of agent q’s work, which in 
turn requires the data transformed by agent p. 

Let P, Q and R be three logical bivalent propositions defined as follows : 

P : agent p functions properly * 

Q : agent q functions properly 

R : agent r functions properly 

Let us assume that : P => Q R, which means that q and r never know any internal 
failure. 

It stems from the previous paragraph that this double implication is equivalent to 
the graph 

P — > Q — > Q — » — iR -» R ; Q . Q) <->(-. Q . Q) ; (-. R . R) o (-, R . R) 

associated to a fuzzy matrix game of deterrence, such that there is a unique non bi- 
nary solution defined by : 

J(P)=1 ; J(— > Q) = 0 ; J(Q) = .81 ; J(-JR) = .16 ; J(R) = .68; 

J(-i (—1 Q . Q)) — J( — > Q . Q) — J(— » (—i R . R)) = J(— i R . R) = .45 

As already stated, the value of the positive playability index associated with a ver- 
tex located on the path can be interpreted as an “inference value” of the root with 
respect to the vertex under consideration. 

More specifically, if we consider the vertices of odd rank, the positive playability 
index indicates how the well-functioning of agent p influences the well-functioning of 
agents q and r 

In other words, J(X) indicates the “likelihood” of agent x functioning properly, 
given : 

- the system’s structure 

that the agent associated with the root functions properly. 

These two elements define the information scheme on which the likelihood is 
based. 



Hence with a different information scheme, the likelihood may take a different 
value. 

In particular, J(X) = 1 is associated with a specific information scheme, for which 
X may be considered as a root of the sub-graph derived from the original graph, by 
deleting all predecessors of X. 


4.2 Exploiting information about agents’ playability. 

Assume that J(X) = 1 . 

It stems from the playability equations that J(-X) - 0, which implies that if Y is a 
direct predecessor of —X on the original graph, J(Y) = 1, which implies in turn that 
J(~.Y) = 0, and so on. 

So, if we assume for instance that J(R) = 1, then J(Q) = J(P) = 1. 

At first sight, this conclusion seems to contradict the results obtained when assess- 
ing the values of positive playability indices, for it was found that no other vertex than 
the root could be associated with a positive playability index equal to 1. But in reality 
this contradiction is only apparent, since one should remember that any playability 
system always has an integer solution (i.e. there is always a distribution of integer 
values of the positive playability indices satisfying the playability system). 

Now, given the initial double implication which discards the possibility of agents’ 
internal failures, the above conclusion becomes trivial: It just states that for the last 
agent to function properly, all agents that are predecessors of this last agent (here p 
and q) must function properly. 

Conversely, if agent x doesn’t function properly, proposition X is not true, and, be- 
cause propositions considered here are bivalent, proposition -X is true. 

In other words, proposition -X can be associated with J(X) = 0 

But on the other hand, by the construction method developed here above, -X is a 
vertex of the graph of deterrence, and it is the only adjacent predecessor of X on this 
graph, which means that either j(—X) = 1 (v = 0) or J(— «X) = 1 . 

In the first case, all strategies of player II, and especially all strategies of type —X, 
are playable by default, with the consequence that no strategy of player I, except for 
the root, is playable. Hence the system can never work. Therefore this case can be 
discarded, for it has no interest (this is precisely the reason why we have introduced a 
second order consistency condition enabling fuzzy playabilities). 

So let us examine the case where J(-X) = 1 . 

By using the same backward induction as above, one comes to the conclusion that 
agent p does not work, which simply states the double implication : — iR => — iO — »P. 

strictly equivalent to the original double implication. 

On the whole, in the very elementary example considered here, the only possible 
source of failure of agent r, or of agent q, is the failure of agent p, and the source of 
failure of an agent can be derived from the graph structure. 

We shall now apply these conclusions to more complex cases. 


5 Introducing the possibility of internal failures : Example 2. 


5.1 Graph structure and solution of the playability system. 

Eveiything else being equal, let us relax the assumption of no internal failure. 

This means that now the cause of failure of agent x can be : 
either an internal failure 
or a failure of one of agent x predecessors 

Of course, the above double implication between P, Q and R is no longer valid. 

To represent the MAS by a system of logical implications, we need to introduce 
propositions describing states of internal failure for each agent, (with a possible 
exception for the root). 

So let us introduce the proposition I x : “there is an internal failure of agent x’\ 

Agent x will function properly if and only if y functions properly and there is no in- 
ternal failure of x, which writes : X => Y a — i I x , or : — Y v I x => — iX 

It can be noticed that in the graph of deterrence representation of a bivalent logical 
system, the logical operator v is equivalent to two arrows pointing at the same vertex. 

So, the above implication can be represented by : 

-iY X -> -OC 

T 

Ix 

To avoid I x being a root of the graph, which would mean that agent x would always 
have an internal failure, we need to introduce the possibility of no internal failure, and 
write that -i I x and I x cannot occur simultaneously, which also gives the second order 
consistency condition associated with agent x. 

The structure of the graph around X becomes : 

... Y — ► — iY — ► X — ► ~iX ... 

T T- 

Iy — lly I x — llx 


The graph of deterrence representing the MAS is then the following : 

P -► -,P -* Q -> -,Q -+ R — ► — iR 

T T 

Iq <“» — il q Ir ~^t 


The reason why there is no consistency condition associated with P is two fold : 



just as in the previous example, we try to assess how the proper functioning 
of p affects the proper functioning of the MAS other agents 
were it not the case, the consistency condition would be partially redundant 
with proposition P, because agent p has no predecessor in the MAS 

The players strategic sets are : 

for player I : P,Q, -J q , -il r , and R 
for player II : -P, I q , -iQ, I r , and -iR 

The playability system writes : 

J(?) — i ; J( — •?) — o ; m = J(-Q) = [1-J(Q)]V 

J(R) - [1- J(^Q)][l-J(Ir)]v; J(-nR) = [l-J(R)]v 

JOq) = [W(-I q )]v ; JC-Jq) = [l-J(I q )]v; J(I r ) = [1- JH)]v; J(-,I r ) = [l-J(I q )]v 

i-v - (l- j(-p>] [l- j(hq)][i- j(^r)][i- j(i q )][i- m] 

We know that J(g = J(-J,) = J(— ,I r ) = J(-.I r )= v/[l+v] 

This means that the likelihood of an internal failure is the same for agent q and 
agent r (or more generally, for any subsequent agent in the MAS). Of course this result 
is associated with a particular state of information, for which the only thing known 
about the MAS is its structure : no difference being made between the agents, it is 
only natural that the likelihood of their internal failure is the same. 

Then : J(Q) = J(-, Q) = v/[l+v] ; J(R) = v/[l+vf ; = v[l - [v / (1+v) 2 ]], 

And 1 -v = [l/(l+v)] 3 [l - v[l - [v / (1+v) 2 ]]] = [1+v-v 3 ] / [1+v] 5 

One can show that this equation has a single non binary solution : v= .973. 

The playability system’s solution is then : 

J(P) = l;J(-nP) = 0 ; 

m = J(-Jq) = m = m = jc-w - q> = 493 

J(R) = .25 ; J(— iR) = .73. 


5.2 Interpretation and generalization. 

The likelihood of internal failure is the same for the two agents Q and R, about .5, 
which simply states that in absence of further information, internal failure and well- 
functioning are equally likely. 

The properties found in the case with no failure are still valid : 

positive playability of vertices with odd rank uccie&se with the rank 
positive playability of vertices with even rank increase. 

The main difference with the no failure case is the magnitude of the variation, 
which is much greater in the present case. 

This greater magnitude stems precisely from the possibility of internal failure : the 
likelihood of an agent x functioning properly sharply decreases with the distance of X 


from the root, since the proper functioning of x now requires two conditions, while 
only one was required in the case of no internal failure. 

This conclusion can be generalized. Let us consider a MAS comprised of N of 
agents Xi,x 2 , ..x n , positioned in line. 

The expression of the positive playability in terms of v : 
is the same for X 2 than for Q in the previous example 
is the same for X 3 than for R in the previous example 
It follows that J(X 3 )<J(X 2 ) 

Since J(^X 2 ) = [l-J(X 2 )]v, and J(-n X 3 ) = [l-J(X 3 )]v, we can then conclude that 
J(-iX 3 ) > J(— X 2 ) 

Furthermore, J(X 3 ) = [v/(l+v)][l- J(-X 2 )] and JQQ = [v/(l+v)][l- J(— 1X3)] 

It then stems from the inequality here above that J(X 4 ) < J(X 3 ) 

More generally given two agents x k and x k+ i on the MAS, such that : 
x k+ i is the immediate successor of x k 

- J(Xk) < J(X k+1 ), 

by using the same method, one can show that : 

- J(~iXk+l) > J(—iX k ) 

- J(X k+1 )<J(X k+2 ) 

Where x k+2 is the immediate successor of x k+ i on the MAS 
Whence, the conclusion. 


5.3 Finding the origin of a network dysfunction. 

Consider for instance that agent r doesn’t function properly, i.e. that J(R) - 0. 

We know that there are two possible reasons for that : either there is an internal 
failure, or the predecessor q of r doesn’t function properly itself. 

Given the elementary case under consideration, such a conclusion is obvious. Nev- 
ertheless, it is of interest to note that one can come to such a conclusion by looking at 
the correspondence between the graph of deterrence and the system of logical implica- 
tions with which it is associated. 

Indeed, the graph structure around R is : 

Q — * — iQ — > R — ► — iR 

t 

Ir — -Ir 


which translates into the implication Q a -.I r ==> R, equivalent to -.R => -iQ vl r 

Because here, Q and -J r play a similar role (i.e. both are simultaneously needed for 
R to be true, and J(I r ) = J(— ■ Q) = .493), there is no particular direction toward which 
one should look first to see the origin of the ill- functioning of R. 

We shall see in the sequel that it might not always be the case. 



6 Increasing the system’s reliability* 


The second stage of the method consists of redesigning the graph in order to increase 
the playability indices values of nodes with odd rank. 

The new graph must satisfy some requirements with respect to the agent network. 

Thus, in the above example, there must be a way to go from agent p to agent q, and 
from agent q to agent r. At the same time, it would be meaningless to draw a direct 
“path” from agent p to agent r, since the latter needs the result of agent p’s work to 
fulfil its own task. This means that in the example under consideration, it seems that 
no “redesign” is possible. 

Of course this conclusion does not apply to more complex systems, in particular, 
systems in which some of the agents can work in parallel. 


6.1 Graph representation of agents 5 parallelism. 

Let us assume that agents p, q and r are substitutable, and that in order to increase the 
system’s reliability, we add another agent x that can replace any one of the three. As- 
sume furthermore that only one agent can be added for reasons say, of available place 
(this could be the case for a system embarked on a space flight). 

The question is then, where should x be positioned ? 

To answer, we first need to give an interpretation of the parallelism between agents 
x and y in terms of the graph of deterrence. 

What is meant here by parallelism is that if agent x or agent y functions properly, 
then the system comprised of these two agents will function properly. So the proper- 
functioning of this system can be associated with proposition XvY, and conversely, 
the ill-functioning of the system can be associated with — »X a —>Y 

In turn, this means that the graph of deterrence structure around X and Y is 

X 

4 

Y — ^X a — Y— ► 


6.2 Duplicating the root. 

Let us first assume that x is parallel to p. The network is then the following : 

X 

l 

P — ► — tX a — lP — *■ Q — * — iQ — ► R — ► — »R 

T T 

Iq — ilq I r — ‘It 



X has the same positive playability as P in the graph associated with the previous 
MAS, while -tX a -iP has the same positive playability as ->P in the graph associated 
with the previous MAS. So, J(-»X a -P) = 0. 

It follows that J(Q) can be expressed by the same function of v as in the previous 
case, and, because J( — .X) = 0, v has the same value as previously. Consequently, it 
stems from the graph structure that the same goes with the positive playabilities of the 
remaining vertices. 

On the whole, putting agent x in parallel with agent p does not affect the well- 
functioning of agents located further down the MAS. The reason for this stems di- 
rectly from the assumption of agent x’s well-functioning : P is the root of the graph of 
deterrence, which means that agent p is assumed to always function properly, in which 
case there is no interest to. duplicate this agent. 


6.3 Duplicating agent Q. 

So let us consider now that x is parallel to Q. The corresponding graph is : 


I x <-» — >I X 

i . 

X 

i i 

P — y — iP — > Q — y —X a — iQ — > R — > — iR 

T T 

Iq — *Iq I r <-» — il r 

We can see from the graph structure that the positive playability of P, — .P, Q, I q , 
— .I q , I r , and — .I r are the same as in the case with no duplicate. 

I X5 and ^I x have the same positive playability as I q , while X has the same positive 
playability as Q : J(X) - v/(l+v) 

Furthermore, J(-iX a -.Q) = v/(l+v) 2 

For the sake of simplicity, let us momentarily denote J(— .X a — »Q) by w. 

Then : J(R) = [v/(l+v)][l-w], and 1- J(R) = [l+vw]/[l+v] 

Similarly, J(^R) = v[l-J(R)] = [v/(l+v)][l+vw], and 1- J(— .R) = [l-^wj/fl+v] 

And l-v = [l-J(-P)] [I-J(-iXa-iQ)] [1-J(-.R)] [l-J(I q )] [1-J(I X )] [l-J(I r )] 

= [l-w][(l-v 2 w)/(l+v)] / [1+v] 3 = [l-w][l-v 2 w] / [1+v) 4 

Replacing w with its value in terms of v, and solving the equation, leads to v = 
.971, which implies w = .25 and J(R) = .37, J(-,R) = .612 

So, putting agent x in parallel with Q increases the positive playability of R by 
nearly 50%. 


6..4 Variation of the positive playability along the graph. 


One can easily show that the positive playability variation properties still hold for 
the vertices located along the “spinal cord” (i.e. the main path) of the graph. 

Indeed, let us again consider a MAS originally comprised of n agents, and then add 
an agent x, positioned parallel to agent x 2 . 

It stems from above that : 

J(X 3 ) - [v/l+v][l- J( — iX a ~tX 2 )], and J(-nX 3 ) > J(-X a -X 2 ). 

Furthermore, JQU) = (v/l+v)[l-J(-X 3 )]. 

It follows that JpQ) < J(X 3 ). 

We then know from the above paragraph, that for all k > 3 : 

- 

- J(X^0 < J (X**) 

where x ^+2 is the immediate successor of Xj^i on the MAS. 


6.5 Origin of a network dysfunction. 

Let us consider once more that agent r doesn’t function properly. We see from the 
graph that this situation can be associated with the implication -iR => (-iQa-iX) vl r . 

Since all agents are equivalent by assumption, the time needed to check the well- 
functioning of an agent is the same, no matter the agent. Let us take this time as the 
unit of time. It means that looking in the direction of R’s internal failure takes one unit 
of time, while looking in the alternative direction (i.e. ill functioning of Q and of X) 
takes two units. 

Let us consider, in line with the assumptions about the available information, that 
the probability of having any one of the three agents not function properly is the same, 
and furthermore, for the sake of simplicity, let us consider that only one agent doesn’t 
function properly. 

One can easily establish that whatever the direction selected first, the mean time re- 
quired to find the origin of the failure is the same. 

Consequently, with no information available (which means that the likelihood of 
each one of the three propositions is the same), there is no rationale to select one di- 
rection of research over another 2 . 

On the contrary, if we take into account the “structural” information derived from 
the graph of deterrence, since J((— .Qa-X) = .25, while J(I r ) = .49, the likelihood of 
occurrence of I r is greater than the likelihood of -iQa— «X, and hence, it seems prefer- 
able to begin by looking at R's possible internal failure. 

On the whole, we see that the graph of deterrence representation of the MAS pro- 
vides extra information, which can be used to select a direction of research for deter- 
mining the origin of the network’s dysfunction. 


2 The values of the mean time required to find the origin of the problem are directly derived 
from the assumption that there is only one agent that doesn’t function properly, which means 
that only two checks need to be made in both cases. 



7 Positioning the duplicate. 



We have seen in the above paragraph that the exact positioning of the duplicate im- 
pacts R’s playability. So can we optimize the positioning of the duplicate ? 

To answer, we need to define what we mean by “optimize”. 

At first sight, two different meanings can be envisaged : 

maximize the reliability of the last agent (just as in the above example) 
maximize the reliability of all agents. 

If, in theory, the second goal is the most desirable one, it is not certain that it can be 
reached, in which case it will be necessaiy to consider the optimization problem as a 
multi-criteria one, or as an N-player non cooperative game of Nash. 

Now, considering the first meaning, the fact that the last vertex of odd rank has the 
smallest positive playability (among vertices of odd rank), implies that maximizing the 
latter amounts to increasing a positive playability “threshold”. This is certainly not 
equivalent to optimizing the positive playability of all vertices of odd rank, but this is 
already a step in the right direction. Therefore, for the sake of simplicity, we shall 
hereby restrict our attention to that first meaning. 

In the MAS without duplicate, J(X 2 ) = v/(l+v). 

For the sake of simplicity, let us denote this expression by a. It follows that : 

J(-nX 2 ) = v[l-a] ; J(X 3 ) = a-av+a 2 v ; 

J(-nX 3 ) = v[l-a][l+av] = v[l-a][l-a 2 v 2 ] / (1-av] 

Let us assume that - vfl-aJtl-a^v*" 1 ] / [1-av]. 

Then J(X k+1 ) = afl-J^Xk)] = a-av+aVaV+...-a k V _1 +a k v k_1 

Whence J(-X k+1 ) = v[l-J(X k+1 ] = v[l-a][l+av+a 2 v 2 +... a k V’ 1 ] 

= v[l-a][l-aV] / [1-av]. 

Suppose now that a duplicate X is introduced in the MAS, and positioned in paral- 
lel with X k . We know that J(X) = J(Xk), which implies J(-^X k A^X) = v[l-J(X k )] 2 , and 
J(X k+1 ) = a[l-J(-nX k A-nX)]. 

Again, for the sake of simplicity, let us denote J(X k+ i) by b. 

J(-X k+1 ) = v[l-b] ; J(X k+2 ) = a-av+avb ; 

J(-nXfcf 2 ) ” v[l-a+av-avb] - v[l-a+av-a 2 v+a 2 v-avb] = v[l-a][l+av] + av 2 [a-b] 

= v[l-a][l-a 2 v 2 ] / (1-av] + av 2 [a-b] 

Just as above, it can be shown with some elementary algebraic computation that 
more generally, J(~X k+i ) = v[l-a][l-aV] / (1-av] + a‘"V [a-b]. 

Let us then consider that k+i = n-1 

Then : J(-,X n .,) = v[l-a][l-a I ’- k - 1 v n - k -'] / (1-av] + a n ' k - 2 v n ' k l [a-b] 

It follows that the positive playability of the last agent writes : 

J(X n ) = a[l-[ v[l-a][l-a n - k -’v n - k l ] / (1-av) + a^V'^a-b]] 


Let us take for instance a MAS comprised of five agents xi,x 2 . . !x 5 . 



The reasoning developed in the three agent case still applies, and shows that posi- 
tioning the duplicate at the root level does not impact the positive playability associ- 
ated with the proper functioning of the last agent. 

Similarly, one can disregard positioning the duplicate at the level of the last agent, 
since such positioning would not impact the functioning of the last agent. 

What remains is to consider positioning the duplicate in parallel with agent 2, agent 
3 and agent 4, respectively. 

To do that, all we need is to compute the positive playability in each one of the 
three corresponding cases. 

The results are given in the array here below : 


k 

2 

3 

4 

v 

.99 

.94 

.997 

j(xa 

.18 

.32 , 

.49 


We see that the positive playability of X 5 increases significantly with k, the highest 
value being obtained when the duplicate is positioned parallel to X 4 , that is just before 

x 5 . 

Now if we consider that agent x 5 provides the general output of the MAS, it means 
that the duplicate should be positioned as near from the output as possible. 

Of course, this result has been obtained in the case of a particular example. Its gen- 
eralization still needs to be explored. 


8 Conclusions. 

In this paper we have used a three layer approach to analyze multi-agent systems. 

The first layer is the MAS itself. Each agent of the MAS has been associated with 
logical propositions. The set of these propositions has then been structured with the 
help of appropriate implications (layer 2). In turn, we have shown that with this sys- 
tem of implications, we can associate the graph of a game of deterrence (layer3), the 
vertices of which are the propositions of layer 2. This graph represents an inference 
scheme in which “inference values” are given by the positive playability indices asso- 
ciated with its vertices. 

Three applications are in the developing process : 

1 ) Determination of the graph associated with a given MAS 

2) Possible selection of a first direction to explore in order to minimize the time 
necessary to find the origin of a network dysfunction 

3) Optimal positioning of a duplicate agent, in order to maximize the network’s 
reliability. 

These applications and the corresponding properties have been developed in the 
framework of an elementary MAS. Extending these applications and properties could 
pave the way for designing a MAS while simultaneously taking into account reliability 
problems, and building efficient redundancy subsystems. 
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Abstract. The Cognitive Agent Architecture (Cougaar) is one of the 
most sophisticated distributed agent architectures developed today. As 
part of its research and evolution, Cougaar is being studied for applica- 
tion to large, logistics-based applications for the Department of Defense 
(DoD). Anticipating future complex applications of Cougaar, we are in- 
vestigating the Model Driven Architecture (MDA) approach to under- 
stand how effective it would be for increasing productivity in Cougar- 
based development efforts. Recognizing the sophistication of the Cougaar 
development environment and the limitations of transformation tech- 
nologies for agents, we have systematically developed an approach that 
combines component assembly in the large and transformation in the 
small. This paper describes some of the key elements that went into the 
Cougaar Model Driven Architecture approach and the characteristics 
that drove the approach. 


v 

1 Introduction 

Software development can be thought of as the evolution of abstract require- 
ments into a concrete software system. Starting with requirements that must be 
refined and elaborated, the system’s evolution is achieved through a successive 
series of transformations. For non-trivial systems, this can be complex, time con- 
suming, and prone to errors as software engineers work together to develop the 
requisite components, assemble them, and verify that they meet specifications. 
Model Driven Architecture (MDA), also known as Model Driven Development, 
represents an emerging approach for organizing this evolution and its resulting 
artifacts. Through a successive series of computational independent, platform 
independent and platform specific model transformations, MDA facilities gener- 
ation of software systems. 

With the relentless advancement of technology, complexity" and integration 
issues often dominate modern computing. To respond to the sheer volume of 
software and consequential complexity, the software community has increasingly 
embraced architecture principles. Software architecture provides a framework 



to understand dependencies that exist between the various components, con- 
nections, and configurations reflected in the requirements. Some situations lend 
themselves to what is called an agent-based architecture. 

As software grows in complexity and autonomy, manifold dependencies be- 
tween critical elements of software increasingly drive many software architec- 
tures. Agent- based software systems address this complexity particularly where 
components may have autonomous properties (i.e., complex information and 
task-intensive situations) and require mechanisms to control these and other 
properties in a predictable way. The task orientation coupled with intelligent 
agents provides a strategic and holistic environment for designing large and 
complex computer-based systems. 

This research concentrates on understanding and applying the MDA ap- 
proach in an Agent-Based Architecture — specifically, Cougaar. The goal is to 
explore ways to use MDA to facilitate domain and software engineering staff 
developing Cougaar Applications, to move up and program at the higher level, 
the domain level. We investigate how to compose Cougaar components into a 
General Cougaar Application Model (GCAM) and develop a General Domain 
Application Model (GDAM) for specifying and generating software applications. 
While the scope of this research focuses on the establishment of the GCAM and 
GDAM, it also provides example recipes for transforming the models into rele- 
vant software artifacts such as requirements, design, code, and test documents. 

1.1 Agent Based Systems 

While there are several definitions for software agents [l],we simply define an 
agent as a software entity that perceives its environment and responds through 
action(s) or tasks to fulfill a designed purpose. This broad definition covers a wide 
range of software agents, where agent types are characterized by properties, such 
as autonomous, interactive, adaptive, sociable, cooperative, competitive, proac- 
tive, intelligent, and mobile. By combining these properties in different ways, 
researchers have defined different agent types and, depending on the criteria, 
organized these agent types into taxonomies. 

An “agent system is a platform on which agents are deployed” [2] . Software 
agent systems, also known as frameworks, need not be large systems, requir- 
ing enterprise-class machines to execute. Some agent systems are characterized 
by a large footprint and require considerable resources to execute. Others are 
lightweight and can execute in an embedded architecture. 

A general agent platform architecture consists of three major components: 
a platform manager, an advertisement registry and a set of agents. Key char- 
acteristics of this general agent platform are that (a) there is some mechanism 
by which agents are managed (i.e., created, deleted, suspended, resumed, etc.), 
registered and also discovered by other agents; and (b) there is a communica- 
tion mechanism. The platform manager is responsible for managing the agents, 
handling operations such as the creation, deletion, suspension and resumption 
of agents. The advertisement registry contains descriptions of the agents in the 
system and facilitates discovery of those agents. Implied in this architecture is 



that agents can communicate with each other, with the platform manager and 
with the advertisement registry. ' 

Some interesting examples software agent systems include Grasshopper [3], 
JACK [4], Cougaar [5], and JADE [6]. There are also several more agent sys- 
tems that are compliant with Foundation for Intelligent Physical Agents (FIPA) 
specifications [7]. 

1.2 Cougaar 

The Cognitive Agent Architecture (Cougaar) is an open source, distributed agent 
architecture [8] resulting from over eight years of research and development, 
and over $150 million investment by the Defense Advanced Research Projects 
Agency (DARPA) under the Advanced Logistics Program. (ALP) and the Ul- 
tra*Log program [9]. Cougaar is a Java-based architecture for the construction 
of large-scale distributed agent-based applications characterized by hierarchical 
task decompositions. ALP demonstrated the feasibility of using advanced agent- 
based technology to carryout rapid, large scale, distributed logistics planning. 
Ultra* Log is developing information technologies to enhance the survivability of 
these distributed agent-based systems operating in extremely chaotic environ- 
ments. Over the last four years, fault tolerance, scalability and security have 
become the focus of evolving this platform for more robust applications. 

The Cougaar environment enables developers to build intelligent applications 
that can recognize and accept high level tasking, determine suitable processes 
and activities, and allocate appropriate resources to complete the tasking. From 
an information systems workflow perspective, Cougaar agents can accomplish 
various tasks based on the functional business processes with which they are 
configured. 

Cougaar agents are organized into a society that collectively solve(s) prob- 
lem(s). A society can encompass one or more communities of agents that share 
functional purpose or organizational commonality. A Cougaar node refers to a 
single Java Virtual Machine (JVM) running on a single server that contains one 
or more agents. A society may be deployed across several nodes. Agents on the 
same node may compete for resources including CPU, the memory pool, disk 
space, and network bandwidth. 

Figure 1 illustrates the Cougaar agent structure consisting primarily of a 
blackboard and, a set of plugins and logic providers that are referentially uncou- 
pled. The blackboard is a container of objects that adheres to publish/ subscribe 
semantics. Plug-ins provide business logic. Logic providers translate both incom- 
ing and outgoing messages. When an agent receives a message, it publishes it 
to the blackboard where a logic provider observes its addition and transforms it 
into an object that plugins work on. Plugins publish/remove objects, or publish 
changes to existing objects. Plugins create subscriptions to get notified when 
objects of its interest are added, removed or changed in the blackboard. 

Agents collaborate with other agents, however they do not send messages 
directly to each other. Instead, a task is created. Each task creates an “infor- 
mation channel” flowing through the society, for requirements passing down and 



Fig. 1 . Cougaar Agent Structure [8] 


responses going back. In order to send an object or resource, to another agent, 
the developer must first associate the object or resource with the task. Cougaar 
uses the concept of asset to represent objects or resources used by task. Only 
instances of the Asset class can be associated with the task (i.e., all multi- agent 
objects must be defined as assets). 

Once the task is created, then the task to be allocated must be located. This 
is typically accomplished by creating a subscription that examines the roles 
or property groups of organizations in the local blackboard. Once the proper 
organization is found, the task containing the object to be sent to the other agent 
is allocated to that organization by creating an allocation and publishing it to 
the blackboard. The Cougaar communication infrastructure then ensures that 
the task is sent to the specified organization and the specified agents blackboard. 

A relationship between two agents which can either be a superior/subordinate 
or customer /provider relationship. The superior/ subordinate relationship sup- 
ports long-st anding transactions where a superior gives high-level tasks to the 
subordinate, which then performs the task and then report aggregate and trend 
information back to the superior on a periodic basis. Cougaar support dynamic 
re-planning and execution monitoring, based on these aggregate/trend infor- 
mation. A customer /provider relationship on the other hand is for task-order 
services between agents on a peer-to-peer basic and may result in large scale 
discrete data flows between the agents. 


1.3 Model Driven Architecture 

In some sense, MDA is a natural progression from previous advances in com- 
puter science. Using models in the development of a system has been practiced 
for decades, and even for centuries in other engineering disciplines (e.g., Building 
Architecture). Perhaps the most telling transition in mindset is how modeling 
in MDA takes a model (typically an abstraction of a reality) and creates an exe- 
cutable form through a series of predictable transformations. Since the computer 
uses a conceptual medium developed by a software engineer (i.e., a model or se- 
ries of models), transforms now make abstractions of the real world accessible 


and even executable on a computer. In this sense, models are no longer simply 
an aid in understanding — the model can now become something much more 
concrete. 


Like other engineering disciplines, software architecture helps us deal with 
the inherent complexities of building today’s software systems. Systematically, 
separating concerns, formalizing the interfaces through standards and the like, 
provides better leverage for developing and evolving the software we employ. 
Software architecture — the structure or structures of the system, which encom- 
pass software components, their externally visible properties, and the relation- 
ships among them[10] — addresses the aforementioned growing complexity by 
providing structure for thinking about and communicating key relationships be- 
tween components, whether they are commercial-off-the-shelf software (COTS), 
middleware, or custom developed. 

MDA endeavors to achieve high portability, interoperability, and reusability 
through architectural separation of concerns. In some respects, MDA is an ad- 
vanced perspective on well-known essential systems development concepts prac- 
ticed over the years (albeit frequently practiced poorly). MDA hinges on the 
long-established concept of separating the operational specification of a system 
from the details of how that system implements those capabilities on its respec- 
tive platform(s). That is, separate the logical operational models (external view) 
from the physical design for the platform implementation. 

Starting with an often abstract computation independent model (CIM) such 
as a business process workflow or functional description, the platform indepen- 
dent model (PIM) is derived through elaborations and mappings between the 
original concepts and the PIM renderings. Once the PIM is sufficiently refined 
and stable, further platform specific models (PSM) are derived through a se- 
ries of elaborations and refinements into a form that can be transformed into a 
completed operational system. 

The CIM layer is where vernacular specific to the problem domain is defined, 
where constraints are placed on the solution, and where specific requirements 
reside. Artifacts in the CIM layer focus largely on the system requirements and 
their environment to provide appropriate vocabulary and context (e.g., domain 
models, use case models, conceptual classes). The CIM layer contains no process- 
ing or implementation details. Instead, it conveys non-functional requirements 
such as budgetary constraints, deployment constraints, and performance con- 
straints as well as functional constraints. 


The PIM provides the architecture, the execution plan, but not the execution 
of the plan in a tangible form. Beyond high level services, the problem domain 
itself must be modeled from a processing perspective. The PIM is where the 
logical components of the system, their behaviors, and interactions are modeled. 
sr IM artifacts focus on modeling what the system should do from an external or 
logical perspective. Structural and semantic information on the types of compo- 
nents and their interactions (e.g., design classes, interaction and state diagrams) 
are rendered in UML, the defacto modeling language for MDA. 
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Mapping from the PIM to the PSM, is a critical element of the MDA ap- 
proach. The mappings from platform independent representations to those that 
implement the features or functions directly in the platform specific technolo- 
gies are the delineation point where there is considerable leverage in MDA. This 
mapping allows an orderly transition from one platform to another. But the 
utility does not stop there. Like the PIM, there is the opportunity to have lay- 
ers within the PSM to produce intermediate-transformations on the way to the 
executable system. These models can range from detailed behavior models to 
physical source code used in the construction of the system. 

Direct PIM to PSM mappings are only possible in relatively simple situa- 
tions today. Today’s modeling languages are not sufficient to express all possible 
processing mechanisms. While UML 2.0 is attempting to address this limitation, 
it’s too early to measure its impact. Therefore, in this research effort, we have 
attempted to glean the the benefits of the MDA approach while avoiding, to the 
extent possible, its inherent limitations. 

The MDA approach specifies a system independently of the platform that 
supports it, specifies the platform (s), chooses platforms for the system, and 
transforms the system specification into those for particular platforms. While 
this approach is still evolving, we are encouraged by its progress and skeptical of 
some claims made by proponents. Therefore, we have adopted an approach that 
incorporates the more stable concepts supported by tool technology and delayed 
others that are still in question as far as implementation potential in the next 
year. 


2 Cougaar Model Driven Architecture 

The objective of this research project is to improve the productivity of Cougaar 
system developers by applying Object Management Groups MDA approach. The 
productivity enhancement is achieved by automatic generation of partial sets of 
software artifacts such as requirements, design, code and test cases. While tech- 
nologically, this has not been accomplished before, the Cougaar Model Driven 
Architecture (CMDA) Project endeavors to inspire solutions toward fully auto- 
mated generation of software artifacts. 

The CMDA system simplifies Cougaar-based application development by 
providing two important abstraction layers namely Generic Domain Applica- 
tion Model (GDAM) and Generic Cougaar Application Model (GCAM). The 
GDAM represents the PIM and encompasses the representation of generic agent 
and domain specific components found in the domain workflow. The GCAM 
layer, upon which the GDAM layer is built, reflects the PSM or Cougaar archi- 
tecture, its specifications and environment. The user specifies the workflow of 
the intended Cougaar system using workflow components and the system is then 
detailed using GDAM and GCAM models. 

CMDA approach uses a combination assembly and transform approaches to 
assemble components specified in GDAM and GCAM models and then trans- 
form them into intended Cougaar-based systems. The GDAM and GCAM en- 
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gines assemble the respective models and the transform engine parses through 
the assembled set of models to produce the actual software artifacts such as 
requirements, design, code and test cases. 

Figure 2 depicts how all the pieces fit together conceptually. The CIM is 
realized through the GDAM/PIM, which is realized through the GCAM/PSM. 
While this is not a fully implemented MDA approach in every detail, it does 
conceptually reflect the key principles. 



Fig. 2. Basic CMDA Approach 


To a large extend, the CMDA systems capabilities are dependent on the effec- 
tiveness and efficiency of the transformation process. The transformer generates 
the system requirements by parsing mostly components present in the workflow 
layer, as the systems flow of execution and related constraints are described at 
that layer. While generating the requirements, the transformer also examines 
the components in the GDAM layer. Such examination is warranted due to the 
influence or tailoring some GDAM components have on the requirements that 
are being generated. Further it should be noted that the requirements, which 
are generated automatically, are partial in nature. The low-level design of the 
intended Cougaar system is to be elicited from the assembled GCAM compo- 
nents. The low-level design encompasses the GCAM model of the system, which 
includes (but is not limited to) UML class diagrams, sequence diagrams, state 
transition diagrams and deployment diagrams. The code and test cases are gen- 
erated and/or assembled from the GCAM model, whose model representation 
will be in a suitable representation that provides the required completeness and 
correctness. 

2.1 Formal Method Approach Selection 

Cougaar is a highly complex system that implements concepts such as “time 
phased locality of reference” and “managed inconsistency.” Hence, testing and 
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finding errors using traditional testing methods such as testing for all possible 
states or artificially reducing the states by discerning selection, may be grossly 
inadequate. In such complex systems, formal methods are the chosen methods to 
assure correct operation [11]. Formal methods, whose underlying basis is math- 
ematical notations and techniques, offer capabilities to fully specify the system 
using mathematical models. The completeness and correctness of the system is 
verified by validating the equivalent mathematical model of the system. How- 
ever for most applications, due to time constraints, it is not advisable or even 
economically feasible to apply formal methods to fully specify the entire system. 
Frequently in real-world projects, formal methods are applied to a small subset 
of components that have the necessity for formal treatment [11]. 

The transformation processes for the CMDA system encompass significant 
challenges. While researchers have conducted transformations before, we are yet 
to come across any example that has attempted to perform transformations to 
this scale or depth. While other parts of the system such as mapping between 
GCAM and GDAM components are significantly difficult, the transformation is 
beset with some interesting challenges. The transformation challenges include: 

1. Difficulties arising due to correctness and completeness errors in the input 
model, 

2. Need for accurate depiction of the complex input model in the generated 
software artifacts (verifiability), and 

3. Need to provide consistent output when repeated transformations (with same 
input) are performed. 

These are particularly important for the portions of the CMDA system where 
equivalence and rewrite rules are applied. The degree to which these challenges 
are not met are proportional to the degree to which “human in the loop” 
will be necessitated. A major decision taken while deciding on the transfor- 
mation approach was on adopting the assembly approach or synthesis approach. 
Given the complexities involved, it was decided to follow a combined Assem- 
bly /transformation approach - thereby leveraging the simplicity of assembly ap- 
proach and the efficiency of transformation approach. Further, the existence of 
many-to-many or at the least many-to-one mapping between components in two 
different levels makes a purely synthesis approach very difficult and highly error 
prone. In particular, the many-to-many mapping relationships between GDAM 
and GCAM components could result in a complex and unwieldy system, if syn- 
thesis approach or fully automated software artifact generation technique is used. 

The following were identified as the key transformation requirements for the 
CMDA system. 

1. Assembling the systems intended external behavior, specified using the work- 
flow and GDAM semantics, into English requirement statements, 

2. Assembling the system design represented using GDAM and GCAM com- 
ponents into system design in UML representation, 

3. Generating code and test cases from the GCAM model by means of assembly 
approach, 

4. Verification and validation of code generated. 
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3 Formal Methods 

Formal methods, a combination of specification language and formal reasoning, 
can be classified into three categories: (1) Mainstream formal methods, (2) The- 
orem pr overs and (3) Customized formal methods. A brief description of the 
three categories is given in this section to give a flavor of the decision space 
available for the CMDA system. 

Mainstream, formal methods use rigorous mathematical models to specify the 
system. The foundations for mainstream models are usually based on set the- 
ory and first order predicate calculus. Examples of mainstream formal methods 
capabilities include Z, B, CSP, VDM, RAISE. 

Theorem provers use rigorous mathematical proofs to describe software sys- 
tems. Examples theorem provers include Nqthm, PVS, OBJ, and Isabelle. While 
theorem provers can be very effective, they may suffer poor usability unintuitive 
development environments and graphical user interfaces. Further, development 
of systems using theorem provers can be difficult. 

Custom formal methods are essentially extensions and adaptations of main- 
stream formal methods and theorem provers. Examples of these include VDM+-f , 
Temporal PetriNets, and Timed CSP. Formal methods are extended to support 
specific development paradigm such as object-oriented systems. Hybrid formal 
methods, a type of custom formal methods, are formed by combining two or 
more different types of formal methods. 

3.1 Formal Methods in Transformation 

The capabilities of the formal methods were understood by conducting an in- 
depth survey on some of the important formal methods that were used for spec- 
ifying agent-based systems. Table 1 depicts the representative formal methods 
surveyed based on their Object-Oriented (OO) modeling support, usability, tool 
support and concurrency support. The rows of the table lists the different formal 
methods that were surveyed ranked in the increasing order of preference for the 
CMDA system. The col umns of the table indicate the comparison criteria with 
decreasing order of importance (as far as CMDA system is concerned) as one 
move from left to right. The criteria were selected keeping in mind the trans- 
formation requirements, which necessitate representation notations that have 
adequate support for representing components and their constraints, scalabil- 
ity to represent large and complex systems and tool support for the assembly 
approach. 

The support for representing objects is the most important selection crite- 
rion as Cougaar is an object-oriented system. The OO support criterion includes 
ability to represent objects and their constraints such as pre-conditions and post- 
conditions. The tool support is another important criterion for selection since 
CMDA is to be interfaced with eclipse IDE platform. The tool support should 
include GUI interfaces to perform consistency checks, type checking and code 
generation. The usability criterion gives an indication on the amount of diffi- 
culty in learning and using the formal method, with a good rate indicating that 
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the methods syntax are similar to popular programming languages and easy to 
learn. The scalability criterion is the fourth important criterion that indicates 
whether the representation is scalable enough to support complex Cougaar sys- 
tems. Formal basis criterion, the least important one, provides insights into the 
richness of the formal methods to describe the system completely and correctly. 


Table 1. Comparison of Candidate Formal Methods [12] 


Name 

OO Support 

Tool Support 

Usability 

Scalable 

Concurrency 

Formal Basis 

X- machines 

Yes 

Very Poor 

Poor 

No 

No 

Yes (Formal Lang) 

WSCCS 

Yes 

Poor 

Poor 

Limited 

Yes 

Yes (Process Algor.) 

B 

Yes 

Average 

Good 

Yes 

No 

Yes (Set theory) 

Z variants 

Yes 

Average to Good 

Average 

Yes 

No 

Yes (Set t./Pred. C.) 

CSP 

Yes 

Good 

Average 

Yes 

Yes 

Yes (Algebraic) 

Petri Nets 

Yes 

Average 

Good 

No 

Yes 

Yes 

VDM-H- 

Yes 

Good 

Good 

Yes 

Yes 

Yes (Set theory) 

UML 

Yes 

Good 

Good 

Yes 

Yes 

No 


As indicated in the Table 1, among formal methods, VDM++ appears to 
possess all of the important characteristics required by CMDA system. Some of 
the other prospective formal methods include CSP and Petri Nets. While CSP 
does support 00 representations and has good tool support, the usability of 
CSP method is only average. As for Petri Nets, scalability of Petri net models is 
a major issue. Although VDM+- 1- satisfies the criteria requirements of CMDA 
system, the time constraints imposed by the project schedule might not permit 
complete formalization of Cougaar system. Hence, the most apt. implementa- 
tion approach for CMDA system might be to combine the UML and VDM-h-h 
methods to exploit the advantages of both methods. 

3.2 Vienna Development Method (VDM) 

The Vienna Development Method [13] is a notation and set of techniques for 
formally specifying object-oriented systems (with concurrent and real-time be- 
havior) including modeling the systems, analyzing those models and progressing 
to detailed design and coding. VDM has its origins in the work of the IBM 
Vienna Laboratory in the mid-1970s. VDM, one of the most popular and fre- 
quently used formal methods, is also one of the few that has ISO Standards for 
its specification language - VDM-SL, Meta- IV [14]. VDM++ is an extension of 
the VDM which support object oriented modeling. In this subsection, we outline 
VDM-b+ details on performance against the criteria for selection. 


Advantages 

The advantages of using VDM-j— I- for this project include: 

Usability : One key hindrance in using formal methods is the lack of support 
for programming language like semantics. VDM+- 1- provides a programming 
language like semantics, thereby enhancing the usability of the method among 
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developers. Portlier, VDM++ can be used in varying depths from specifying the 
requirements more correctly and completely, and to develop models for analysis 
and for implementing the system. 

Applicability: Unlike most formal methods that evolved from academic world, 
VDM method was developed by the industry for solving real world problems. 
Hence VDM and its extension, VDM++, are used extensively and successfully 
to solve industrial problems. 

00 Modeling Support : VDM++ is designed with 00 modeling in mind. 
Hence the language can be used to model object oriented system, like Cougaar, 
without any modifications. The language also supports multiple inheritance and 
provides mechanisms to specify constraints on data and operations. The support 
for 00 modeling is one of the biggest advantages for using VDM++. 

Tool Support : VDM has extensive tool support. The class of tools available 
for VDM includes (1) VDM through Picture (VtP) by IDE: to input/edit formal 
specifications, to specify requirements using pictures or graphics (2) SpecBox: 
to print formal specifications captured automatically, to check specifications for 
grammatical correctness and for specifications completeness (3) Delft VDM SL: 
to check specifications for grammatical correctness and for specifications com- 
pleteness (4) mural for proof support, (5) VDM domain Compiler for automated 
code generation and (6) transformation tools for converting UML models to 
VDM and vice versa [15, 16]. Further, IFAD VDM++ Toolbox is a set of tools 
designed to support VDM+- + The toolbox provides a number of features that 
include checker to validate syntax and type, test coverage and statistics tool, 
and C++, Java code generators. Further, the toolbox provides APIs that allow 
programs to access and modify the running instance of VDM++ models inside 
the toolbox. This helps easier interfacing with the Eclipse IDE. 


Disadvantages 

Mathematical Foundation : VDM++ is based on mathematical notations. 
Therefore, many domain experts and system developers may not like to encode 
system specifications using VDM++ language semantics. The disadvantage can 
be mitigated by developing wrappers that will hide the complexity of VDM++ 
semantics. 

Time Constraints: Even for formal methods experts, large system develop- 
ment with VDM++ would be a lengthy endeavor. The modeling of GCAM 
components in VDM++ will be time consuming and difficult. Hence, modeling 
the entire Cougaar system using VDM++ has to be avoided. 


3.3 VDM++ Toolbox and CMDA 

The VDM++ Toolbox, developed by IFAD, is a set of tools that supports the 
object-oriented VDM++ extension of VDM-SL The toolbox, which is part of 
the VDMTools, differs from most other CASE tools for formal methods in the 
way the functional aspects of a specification are analyzed. Some of the features of 
the VDMTools are Specification Manager, Pretty Printer, Syntax Checker, Test 
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Coverage and Statistics Tool, Type Checker, Dependency Browser, Interpreter 
and Debugger, Dynamic Link Facility, Couplings to Third-party Tools, and Java 
Code Generator 

The features of the VDM Tools planned to be used for the CMDA system 
include Rose-VDM-f-f link to convert UML into VDM-f-f, VDM-f-f to Java 
code generator, Syntax and Type checker and Test Coverage and Statistics Tool. 

In the next section, we discuss the use of VDM-f-f and UML in the CMDA 
approach emphasizing the transformation implications. 


4 CMDA Transformation Approach 

The transformation challenges detailed above entails using multiple representa- 
tions to represent the CDMA system components. The representation that we 
believe, best addresses the challenges is a combination of UML and VDM-f-f. 
The CMDA project intends to build a developer environment that will offer 
developers components, which can be aggregated to represent the system in 
workilow, GDAM and GCAM levels. Each of the components named as Work- 
flow Beans, GDAM Beans and Cougaar Beans respectively (in synonym with 
Java beans concept) will contain sections of software artifacts and related infor- 
mation pertaining to that bean. Some example sections of the software artifacts 
that beans contain include: 

1. Requirements model from which the transformer gleans the partial set of 
requirements, 

2. Design model from which the systems design model is assembled by the 
transformer, 

3. References to the lower level beans or links to J ava code which can implement 
the bean. These references are traversed by the transformer while assembling 
the systems code and 

4. Test case fragments that contain information on how to assembly the unit 
test cases for the beans. 

Further, the bean contains documentation information such as description 
about the bean, and constraints pertaining to data, operation and connections 
with other beans. The constraints may be divided into two groups: (1) Port 
constraints, detailing constraints on input ports of the bean, and (2) Role con- 
straints, detailing the restrictions the bean has on the roles or services the bean 
provides or supports. 

The contents and size of the sections and information in a bean are influenced 
by the abstract layer to which the bean belongs. For example, a GDAM beans 
requirement section will be larger than the requirement section of the Cougaar 
bean, while the code section of a GDAM bean might be pointer to the Cougaar 
beans or code that can implement the GDAM bean in Cougaar. The models 
in the design model section of each bean will be represented using UML while 
the VDM++ representation will be used to delineating connector and other 
constraint information. The code section will contain links to Java code libraries 
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at GCAM level and pointers to lower levels in rest of the abstraction layers. 
The requirements might be a combination of XPDL, text and UML diagram 
while the constraints also contain mapping (or connection) information that are 
mostly rule based with some formalizations applied. 

The workflow of the CMDA system starts with developer assembling the 
system by picking the right workflow bean components and connecting them to 
represent the workflow. The constraints pertaining to connection are encoded in 
the beans and developers are shown a detailed error message when they try to 
connect two dissimilar components. Once the workflow of the system is build, it 
could be verified for consistency. The developer is then shown a list of GDAM 
beans that can be chosen to map a particular workflow bean. The expert system 
will list only related GDAM beans based on the constraints specified by the 
developer at the workflow level. The rationale to allow developers chose the 
right component is to allow developers make design decisions with the system 
assisting them (by showing a list of possible solutions and patterns). 

The GDAM beans are mapped into Cougaar beans in a similar fashion. In 
all layers, as and when required, the developer will input necessary information 
to satisfy the completeness and correctness of bean component. The usability 
of the system can be improved by developing wrappers that would mask the 
semantics complexities of the representation language. Once the models are built, 
the transformation engine will traverse through the beans at each level and 
generate the software artifacts based on predefined transformation rules. 



Fig. 3. CMDA System Abstraction Layers 


Figure 3 delineates all the abstract layers that lie above the Java code. The 
GCAM layer, which has the largest number of components. The width of the 
boxes represents the extent to which the application can be represented by the 
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layer. The ability to capture and/or implement the intended application’s re- 
quirements increases as one progress through the layers, with the Java layer 
having the capability to implement all the requirements. The workflow is to be 
described using XPDL standard, defined by the Workflow Management Coali- 
tion, which provides a formal model for expressing executable processes that 
addresses all aspects of enterprise business processes. XPDL was chosen because 
the language focuses on issues relevant to the distribution of work and workflow 
processes than defining web services as in other standards such as BPML and 
BPEL. 

The solid arrows moving upwards from the Java layer through the GDAM 
layer represent the composition of more concrete components to satisfy the do- 
main level abstraction specified by the user. The dashed/ transparent arrows 
pointing up to the domain application layer from the other layers depict the al- 
ternative components that can be obtained when a suitable GDAM component 
is not available. The values on the dashed/transparent arrow indicate the pro- 
jected amounts of components from the various alternatives in the development 
environment. 


5 Conclusions 

Software development can be thought of as the evolution of abstract require- 
ments into a concrete software system through a series of transformations and 
refinements. Even in moderately complex systems, this transformation is often 
too involved for fully automated means. 

MDA provides a systematic way of capturing details during elaboration and 
refinement through the mapping from CIM to PIM, PIM to PSM and ultimately 
rendered as an executable software system. MDA as currently defined appears 
to have utility if used in moderation. However, for CMDA, it is not a panacea 
by any stretch. It still requires considerable work and strategic application. 

Cougaar is complex requiring considerable mappings and transforms. For this 
reason, we chose an assembly centric approach with simple formalisms to start. 
The CMDA approach has substantial transformation challenges in generating 
software artifacts such as requirements, design, code, and test cases automati- 
cally. The artifacts are generated from models assembled using components or 
beans belonging to two abstract layers namely GDAM (abstracts the domain 
and generic agent system) and GCAM (abstracts the Cougaar system) . A bean 
will contain nuggets of requirement, design, code, test and documentation de- 
tails pertaining to that component along with transformation information. The 
CDMA system combines assembly approach with transformations in small con- 
cept to generate the artifacts. 

A comparison study of formal methods was conducted to identify the suitable 
language representation for the GCAM and GDAM components. The selection 
criteria for the comparative study included criteria such as object-oriented sup- 
port, usability and tool support. The study concluded that the complexity of the 
system, coupled with the need for completeness and correctness compels using a 
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hybrid language representation (combination of UML and VDM-f-f ) to achieve 
transformations. The transformation engine will generate the required software 
artifacts, from the GDAM and GCAM models assembled by the developers, by 
parsing the various sections and portions in the beans. 
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Abstract. To support the development of flexible and reusable MAS, we have 
built a framework designated MAS-CF. MAS-CF is a component framework 
that implements a layered architecture based on contextual composition. 
Interaction rules, controlled by architecture mechanisms, ensure very low 
coupling, making possible the sharing of distributed services in a transparent, 
dynamic and independent way. These properties propitiate large-scale reuse, 
since organizational abstractions can be reused and propagated to all instances 
created from a framework. The objective is to reduce complexity and 
development time of multi-agent systems through the reuse of generic 
organizational abstractions. 


1 Introduction 

The characteristics and expectations of new application domains surrounding 
distributed systems have lead to the development of dynamic and evolving structures. 
After the advent of the Internet and with the recent emergence of new technologies, 
the application domain of MASs is expanding and nowadays it is used in many areas, 
such as e-business, web-services, knowledge management and now enterprise 
information systems [Faulkner2001, Griss2003, Adam2004, Giorgini2004]. Agent 
technology represent an extraordinary opportunity for information systems and 
corporate applications, because agents must be capable of managing and organizing 
information, recognizing personal tastes and making increasingly important decisions 
on behalf of their owners. 

Nevertheless, the development of multi-agent systems is not trivial. To avoid the 
task of designing each new system, we need tools to help in the MAS construction, 
and by extension it is desirable to also have tools for reusing previous designed 
architectures and their relationships. There is a considerable research effort towards 
the development of frameworks for agent-based systems [Sycaral999, 
Wooldridge2000, Evans2001, Bellifemine2001]. Each framework has different 



application specific particularities, such as social capabilities, reasoning, flexibility 
for dynamic compositions, interoperability and so on. 

Most approaches, however, focus on the reuse of application-specific concepts at 
the analysis, design and implementation levels (roles, protocols, agent architectures). 
Little research is conducted towards generic (i.e, application-independent) models 
[Faulkner2001, Zambonelli2002, Holvoet2003, Griss2003]. There is a large potential 
of reusing generic “organizational abstractions” - such as structures and patterns - for 
generic (i.e, application-independent) models [Zambonelli2002]. Reuse of generic 
software is recognized within the object-oriented community and has lead to the 
concepts such as design patterns and frameworks [Preel999, Fayadl999]. 

The main focus of our work is the reuse of abstractional organizations applied to 
the development of multi-agent systems. Reuse an abstract architecture allow us not 
only to reuse the design and the implementation of the architectural software, but also 
the reuse of important individual agent properties, such as interaction, adaptation and 
collaboration, which can be completely or partially resolved at the architectural level. 
On the other hand, by freeing the developer from the task of implementing these 
complex properties on the agent, the work becomes simpler and can be better focused 
on the maintenance of the knowledge structure and on the learning capabilities of the 
agent. 

This paper is structured as follows: the next section briefly describes the state- of- 
the art regarding agents and multi-agent systems. Section 3 describes the abstract 
architectural model, the communication model and interface specification. Section 4 
describes the interaction model, formalized by means of service ontology. Section 5 
describes how the architecture behavior has been formalized and how the 
specifications are being stored and transformed into reliable code. Related works are 
discussed in Section 6 and Contributions are listed in Section 7. 


2 Agent and Multi-Agent Systems 

We have examined and identified through the literature the essential aspects 
surrounding agent-based technology. This section briefly presents some important 
concepts that will be used on the course of this work, namely agents and multi-agent 
systems. 


2.1 Agents 

There is no universally accepted definition of the term agent Part of the difficulty to 
define agent arise from the fact that for different domains of applications, the 
properties associated with the agent concept assumes different levels of importance. 
There are many types of software agents with different characteristics such as 
mobility, autonomy, collaboration, persistence and intelligence. 



The behavior of an agent depends on, and is affected by, the incorporated agency 
properties: interaction, adaptation, autonomy, learning, mobility and collaboration. 
Such properties were based on previous studies [Kendall 1999, OMG2000, 
Garcia2001]. We have use the properties as follows, based on [Garcia2001]: 

• Interaction : an agent communicates with the environment and other agents by 
means of sensors and effectors. These are available via the agent’s provided 
and required interfaces; 

• Adaptation : an agent should adapt its state and behavior according to new 
environmental conditions; 

• Autonomy : an agent has its own control thread and can accept or refuse a 
request; in other words, by autonomy we understand the capacity of the agent 
to execute its activities without human intervention; 

• Learning : an agent can learn on previous experience while interacting with its 
environment; 

• Mobility : an agent is able to transport itself from one environment to another 
to achieve its goals; 

• Collaboration: an agent can cooperate with other agents in order to achieve its 
goals and the system goals. 

According OMG [OMG2000], autonomy , interaction and adaptation can be 
considered as fundamental properties of software agents, while learning, mobility and 
collaboration are neither a necessary nor sufficient condition for agenthood. There are 
several types of software agents, including information agents, user agents, interface 
agents and mobile agents. Each agent type has different application specific 
capabilities and agency properties. In order to have autonomy, an agent must possess 
a certain degree of intelligence allowing it to survive in a dynamic and heterogeneous 
environment [Correa 1994]. Therefore, there is general consensus that autonomy is 
one of the central properties to the notion of agent. 


2.2 Multi-Agent Systems 

There are several different ways to organize multi agent systems. In any given case, 
the best way depends on the purpose and objectives of the system, thus there are 
several types of multi- agent systems, each with its own particularities such as social 
capabilities, reasoning, interoperability and so on. Jennings [Jennings 1996] proposes 
a framework that provides a structure to analyze and classify the activities of multi- 
agent systems according to two different perspectives: (i) the agent perspective: 
focuses on the characteristics of the agent involved with the MAS, such as internal 
architecture, structure and maintenance of knowledge, and abilities of reasoning and 
learning; (ii) the group perspective: includes group aspects such as organization, 
coordination, interaction and negotiation. 



In MESSAGE [Evans2000], MAS architecture is defined through an 
organizational model, focused on the structure of the organization and the relationship 
between the agents it contains. The organizational model also describes mechanisms 
for conflict resolution and rules that enable agent groups to function as a unit serving 
a common purpose. Agents are identified based on a goal-oriented model, where 
organizational goals are decomposed and associated with tasks. Goal decomposition 
is carried out recursively, until the tasks associated with the goal can be completely 
fulfilled by an isolated agent or in collaboration with other agents. Agents are 
connected by organizational relationships (such as superior-subordinate and client- 
provider), proceedings of control management, workflows and interactions. Internal 
architecture and maintenance of the knowledge structure applies an approach similar 
to BDI (Beliefs, Desires, Intentions). 

On the design of interoperable agents, JADE [Bellifemine2001] is a framework 
focused on interoperability based on the standardization of the language of 
knowledge. JADE can be considered an agent middleware that implements a platform 
and a development framework. The interaction model is implemented according to 
FIPA [FIPA2000] protocols. FIPA provides a standard language of communication 
based on protocols, an ontology necessary for the interaction between the agents from 
the system and from other systems. JADE provides an API to organize the system 
starting with a set of generic system services and agents. Services are transported 
through an interface mechanism to send/receive messages to/from other agents. 

RETSINA [Sycaral999] focuses the agent architecture in a software infrastructure 
that allows heterogeneous agents to interact on the Internet. The RETSINA 
framework provides an abstract basic agent architecture consisting of, and integrating 
with, reusable modules and each module of an agent operates asynchronously. The 
RETSINA definition of multi-agent systems is driven by the vision that 
heterogeneous agents that autonomously organize their own social structures should 
populate multi-agent societies. 

The descriptions show different ways to organize MAS. Nevertheless, most 
approaches focus the reuse in specific application concepts and on the individual 
properties of the agent, such as protocols, roles and internal architecture. Little 
research on the domain of multi-agent systems has been conducted emphasizing the 
reuse of generic organizational abstractions [Faulkner2001, Zambonelli2002, 
Holvoet2003, Griss2003], 


3 The Architectural Model 

In this section we present the main models that compose the framework architecture, 
thus, the abstract model, the structural model, the interface model and the logic model 
are described and commented. 



3.1 The Abstract Model 


The architecture of a multi-agent system can naturally be viewed as an organized 
computational society of individuals. For this reason, organizational abstractions 
should play a central role in the analysis and design of such systems. Zambonelli and 
Wooldridge [Zambonelli2002] state that “the introduction of high-level organizational 
abstractions can lead to cleaner and more manageable and reusable MAS design.” 
Also according to Zambonelli, the organizational abstractions facilitate the design 
process because it leads to a cleaner separation between the component level (i.e., 
intra-agent) and system-level (i.e., intra- system). Holvoet [Holvoet2003] argue that 
“programming in the large” for reactive MASs should imply a reuse method that 
allows two things: (i) to describe MASs in an abstract, application- independent way 
and (ii) to reuse such abstract multi -agent system through application- specific 
adoptions. 

In order to address these necessities, a few basic requisites of the model must be 
introduced. First we define MAS from an organizational view as a set of autonomous 
agents (possibly pre-existent) which common objective is the solution of a given 
problem [Jennings 1996]. Nevertheless, the designer does not have to be focused on 
the solution of a specific problem. New problems may arise in the context of the 
MAS, and the society must be able to solve these hew problems in collaboration. This 
can be achieved through the inclusion of new agents building compositions with pre- 
existing agents or by replacing obsolete agents. Therefore, the abstract model must 
provide an architecture that facilitates the inclusion of new agents at any given 
moment as new problems arise. 

During the analysis phase, an understanding of the system and its structure can be 
done. In our case, this understood is captured in the system’s organization, via 
architectural model. We view a organization as a collection of agents that provide and 
perform services, and take part in systematic, institutionalized patterns of interactions 
with other agents regulated by the architecture. Departing from the goals of the 
organization, services can be identified and allocated to new agents or to pre-existing 
ones. 


3.2 Proposed Architecture 

Our architecture was designed supported by the basic concepts present in component 
frameworks [Szyperski2002]. A component framework is a set of interfaces and 
interaction rules that govern how components “plugged into” the framework may 
interact. In particular, a component framework forms a framework that composes 
instances not based on directly declared connections or derivations (such as 
inheritance of a class framework), but based on the creation of contexts and the 
placement of instances in appropriate contexts [Szyperski2002]. Beyond the similar 
names, almost identical visions and superficially similar construction principles, 
component frameworks are very different from class frameworks [Bosch 1999, 


Fayadl999] since the inheritance implementation is not commonly used between a 
component framework and the interfaces it supports. 

Figure 2 illustrates the two main parts that compose our structural model: System 
and Infrastructure . System defines a structural model for the domain-specific MASs. 
We define domain according to [Sodhi2000, Traczl994] as the space of the problem 
for a family of applications with similar requirements. Infrastructure defines a part 
that contains components that provide generic services, such as database access, 
translation services, HTTP services, GUI builders and others. 



Figure 2 - The MAS-CF generic architecture 


System can be seen in the left side of the Figure 2. It defines a three-tier 
architecture composed by the elements Domain , MAS and Agent . Domain is a 
component system, MAS is a component framework, and Agent is an abstract model 
for the instances plugged on the MAS. The Domain tier implements a set of rules of 
interaction that allows the communication and the sharing of services between 
different MAS and allows the communication between systems located in different 
domains. Different MAS located in a given domain can be plugged on the tier 
Domain. Note that tiers are described side by side with each other, while layers sit on 
top of each other. Traditional class framework merely structure individual 
components, independent of the placement in a tiered architecture. In the same way 
that MASs can be plugged on the Domain tier, agents can be plugged on the MAS 
tier. 

Represented on the right side of the Figure 2, Infrastructure is a two-tier 
architecture where the Infra is a component name work and the generic Infra 
Components are instances of the Infra component framework. The communication 
between the System and Infrastructure is supported by an ontology, which describes 
the services and how they can be accessed. Details will be shown in the Section 4. 


3.3 Communication Model 


Based on fundamental principles present in component frameworks, we have defined 
the communication model considering that the exchange of information between 
agents will be implemented as connections between agents and the architecture. The 
objective is to allow the sharing and distribution .of services in a transparent, 
independent and autonomous way. An agent or component is visible to the 
architecture and can communicate generating events, which trigger connections rules 
in the architecture. The communication is indirect, via a component framework that 
mediates and regulates component interactions. Figure 3 shows the communication 
model on the proposed architecture. 



Interface types 
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Figure 3 - The communication model 

We use similar notation to SOFA [Plasil2002] to describe the communication 
between interfaces. Three different types of connections are distinguished: (i) 
delegate : a connection between a provided interface of a component and a provided 
interface of a subcomponent; (ii) subsume : a connection between a required interface 
of a subcomponent and a required interface of a component and (iii) bind: a 
connection between a required-interface and a provided-interface between two 
subcomponents. We have considered that the information flow between connections 
in bi-directional. The Java Virtual Machine places call returns in a stack. After the 
execution of an event, the system returns to the caller. 

Services requests arrive from the environment through the interface Domainln. 
These requests are decoded by the DomainController — which acts as an abstract 
factory [Gamma 1995] — and are sent by the service to the responsible agent. Just as 



the Do main Co ntr oiler, MASController and InfraController work as abstract 
factories . They encapsulate knowledge about which concrete classes are used for the 
system, and conceal the way that the instances of these classes are created and joined. 
It permits the configuration of the system with agents "product" that can vary widely 
in structure and functionality. As seen in the previous subsection, the concept of 
component framework can be applied in such a way that component frameworks are 
themselves components “plugged” into higher-tier component frameworks. Thus, by 
construction, a component framework accepts the insertion of instances at run-time. 
Agents and Infra Components can be dynamically registered and plugged on the 
framework. 


3.4 Interface Model 

One of the main ideas underlying frameworks is that semi finished components can be 
represented by abstract classes. Their purpose is to standardize the class interface for 
all instances or subclasses. Subclasses and instances can only augment the interface, 
and not change the names and parameters of methods defined in a superclass 
[Preel999]. The term contract [Preel999, Szyperski2002] is used for this 
standardization property: instances of subclasses of a class A support the same 
contract as supported by instances of A. A contract is a specification attached to an 
interface that mutually binds the client and the providers (implemented) of that 
interface. Thus, the semi-finished or ready-to-use components and agents of our 
framework can be implemented based on the contract of the abstract class. 

On the lowest level tiers, the abstract class Agent provides two interfaces: a 
provided interface designated Agentln and a required interface designated AgentOut . 
Agentln provides a channel of communication through which agents can absorb 
events and is a flexible hot-spot [Preel999]. The AgentOut interface establishes a 
communication channel from where services from other systems, agents or 
components may be requested. To this end, it is only necessary to agree to the 
contract established by the interface. The AgentOut interface is a frozen-spot. Note 
that Agent here represents a generic term. In practice, the interface assumes as prefix 
the name of the agent and as suffix the expressions In and Out . The two interfaces are 
encapsulated into the semi-finished abstract class Agent when instanced through the 
framework The basic syntax of the contract is as follows: 

public void Agentln (String service, Vector in, Vector out) -> sensors 

public void AgentOut(String service, Vector in, Vector out) -> effectors 

The parameter service (String) defines the name of the requested service. The 
parameters possess semantic meaning similar to IDL CORBA. They can be of type in 
(flow from client to object) or out (flow from object to client). The operation result, 
whenever there is one, is essentially a distinguished out parameter. The specification 
of highly structured messages introduces a level of complexity, since the parameters 
frequently represent complex types or data structures, such as vectors of objects. The 



type Vector used on the in and out parameters make possible to use heterogeneous 
types of fields, such as Objects, arrays, Strings, and so on. 

For the components of the Infra tier, only the provided-interface is instanced. 
Contrary to agents, components do not communicate among each other. As 
independent processing units, they' do not request external services from other 
components or agents. 


3.5 Logical Model 

The UML provides the package mechanism [Larmanl997] for the purpose of 
^illustrating groups of elements or subsystems. Such a diagram may be called an. 
architecture package design. A package defines a nested name space, so elements 
with the same name may be duplicated within different packages. Graphically, a 
package is shown as a tabbed folder; subordinate packages or classes may be within 
it. Figure 4 illustrates a more detailed breakdown, of common packages in the 
architecture of the framework. 



Figure 4 - Architectural units expressed in terms of UML packages 

The framework contains a set of five packages: Domain, MAS, Infra, Library and 
MCFTools. Inside each package the encapsulated classes are listed. The three 
packages shown on the top represent the main tiers of the framework: Domain, MAS 
and Infra. Note that the three packages contain classes with the suffixes Controller , 
Creator and Parser . As seen on previous sections, the classes sporting the suffix 




Controller represent abstract factories , responsible for the dynamic creation of 
instances. The Creator interfaces (starting with the letter I) define a standard signature 
for the instances that can be created dynamically, establishing a plug-and-play 
structure. The classes sporting the Parser suffix implement programs that parse 
service catalogs (detailed in the next section) to retrieve the specification of the agent 
or component responsible for the execution of the service. When the agent is 
retrieved, it is delivered in the form of a String from the Parser class to the Controller 
class, which implements a factory method [Gamma 1995] for the dynamic creation of 
instances. 

The two packages shown bellow on Figure 4, Library and MCFTools , supply 
generic support services to the main packages of the framework. Library contains 
some classes that supply important generic services to the programs that control the 
interaction flux and the synchronism between processes. The classes setState and 
getState are responsible for the synchronism between processes. Class setState 
(producer) stores in a hashtable the next state for the action to be executed during the 
transition. The data is indexed based on a ID created for each instance, and associated 
to the state and corresponding action. Class getState (consumer) whenever called 
upon, retrieves the state stored in the hashtable and delivers to the process the instance 
and the action to be executed. 

The MCFTools package provides a public interface to support the tasks of 
instancing the architecture and the elements, along with the necessary support for the 
specification of the service catalog. To this end, it makes a set of GUI classes 
available, such as MCFMenu , MCFGeGui, MCFSeGui. MCFMenu is the class that 
provides a common interface to a group of other components of the package and 
system, implementing a pattern facade [Gamma 1995, Larmanl997]. The disparate 
elements may be the classes in a package, a framework or a subsystem (local or 
remote). Along with the GUI classes, the package maintains a class called 
MCFParser that captures (when the architectural elements are instanced) the 
specifications described by the GUIs and stores it in the XML file. Finally, the 
MCFGenerator class is responsible for code generation, working inside the standards 
established by the standard code structure used by the framework (as per Section 5.2) 


4 Interoperability 

Consider the high level component Infra. New components, which implement generic 
sendees, can be plugged at rrm time: new services must be available to agents at run 
time. How to make new services available to the agents? How to allow agents to 
interact with each other without knowing in advance which services are available? 
The representations of the architecture were not sufficient to serve as a listing of all 
services provided. When a new agent is registered or instantiated by the framework, 
its services are registered in a XML ontology in the form of a services catalog. 



The use of ontology serves us as a formal specification of the catalog of services 
provided. Every agent/component operating within the System or Infra part must 
abide to the specifications dictated by the services ontology. The same is true for 
components. Figure 5 shows how services registered on the catalog may be accessed 
through the controller components present on the layers. Different components access 
specific sections of the catalog and obtain information such as component instances, 
location of services and descriptions of the communication protocols. 



Figure 5 - Relationship between components and XML ontology 

List 1 shows an example of how a services catalog can be structured in the form of 
an ontology. The tags name and description supply basic information about services 
provided by agents or by components. The initiator tag indicated the agent 
responsible for the execution of the service and the path tag indicates the physical 
location of the agent. It may be a physical address or a URL. The type tag indicates 
the type of protocol being used by the agent to deliver the message, initiate a 
conversation or supply a service. 


- <Services> 

- <servtce> 

<name> Advising Receive </name> 

< descri pt I on > . . . </descri pt i on > 

< initiator Adyisor</initiator> 

<type>MAS-CF</type> 

<path>D\AcademicApplication\Advisement</path> 
<domain> Academic Applications</domain> 

<mas> Electronic Ach/isement</rr?as> 
<message>Contract MAS-CF</message> , 
</service> 

</Services> 


List 1 - XML specification of the catalog of services 


The Initiator is the agent responsible for starting the execution of the service. The 
Type indicates the type of protocol used to deliver the message and to supply a speech 
act or a service. In this case, all tags are automatically retrieved from the specification 
and stored in XML format. Also present are the name and description tags, which 
supply basic information about the service. The XML catalog is critical to the system 
and during use a working copy is made to ensure system reliability. If the working 







copy fails a new copy is reconstituted from the original. Besides, the information 
contained on the XML catalog can be reconstituted from the interfaces on the original 
XML system specification through the use of special tools. 

Semantic heterogeneity is one of the chief focus of any multi-agent system, this 
heterogeneity expresses the issue that any two interoperating agents must be certain 
when using a vocabulary of terms, or translations thereof, that they are using the same 
concepts with the same relevant inferences of relations as the other communicating 
agent [Sycara2003]. Two heterogeneous interoperating agents must be certain when 
using a vocabulary of terms or translations (FIPA to MAS-MF, for example) that they 
are using the same concepts with the same relevant inferences of relations as the other 
communicating agent. We argue that ontology, commonly defined in the literature as 
a specification of a conceptualization , is the representation that will provide this 
requirement [Gruber 1998]. 

A conceptualization can be concretely implemented, for example, in a software 
component. Different types of ACL (Agent Communication Language) can be 
identified via Type tag and services are provided by adapter components to translate 
the MAS-CF messages to/from KQML [Fininl997], FIPA, UCL [Montesco2001] 
and other ACLs. It decodes the calls that arrive from the environment and identifies 
the language spoken by the agent, for example KQML or FIPA. These components 
can be registered and plugged into the Infra tier. 


5 Describing and Transforming the Specifications 

In this section we describe how the behavior of the framework is formalized through 
the use of FTS (Finite Transition System) [Amoldl994]. In the sequence, we show 
how the specification is described and transformed into reliable code. 

5 A The Behavior of the Framework 

Most work on the semantics of parallel, communicating, concurrent or interacting 
processes is based on the concept of automaton. More generally, a finite state 
automaton formed of states and labeled transitions between those states, can describe 
a system whose state evolves over time [Amoldl994]. An agent is a computational 
entity handling sequences of events. To handle events, agents can emit events, absorb 
events, and process internal events [Plasil2002]. Method calls on interfaces turn into 
event, and the architecture’s behavior is modeled via the event sequences (traces) on 
the architecture. The behavior of the architecture can be approximated and 
represented by FTS. A transition system consists of a set of possible states for the 
system and a set of transitions - or state changes - which the system can effect 
[Arnold 1994]. 



The previously presented architecture (Figure 3) can be described as a concurrent 
FTS, as shown in Figure 6. The figure shows each tier represented as a FTS, working 
concurrently with other tiers. The label X indicates the target action or event, when the 
state triggers the transition. The set represented by the states (Sj, S 2 } encapsulate the 
provided- and required-interfaces Domainln and DomainOut of the Domain tier, 
respectively. In a similar way, the set {S 4 , S 5 }, {Su, S 12 } and {S 3 i} compose the 
provided- and required-interfaces of the MAS, Agent and Infra tiers respectively. The 
states S 3 , S 6 , resp. S 32 represent a set of nested states composed by the classes with the 
suffixes Controller ; Creator and Parser of the Domain, MAS and Infra tiers, as seen 
on section 3.5. 



Figure 6 - The architectural model as FTS 

Asynchronous behavior between states is represented through self-transition. A 
self-transition may represent a, asynchronous communication channel between two 
tiers ((Si to S 4 , for example) or a recursive decomposition to nested states, as seen on 
S 3 , Ss e S u . On the expressions that label the transitions, the character X represent the 
target action to be executed by the transition. The suffixes {!, ?} represent the action 
emitted or absorbed. Besides actions, variables are also described. Basically, the 
variables represent services ( serv ), instances {mas, agt , and comp) and results or data 
{res) modified by the states or processes. 


In run-time, the program directs the flow via switch for the current state, evaluates 
the predicates and changes for the target state, performing the associated action. This 
can be seen in the code fragment presented on Figure 7 of the next subsection. ECA 
rules specifies how the architecture receives messages from the environment and from 
agents, how it verifies the service, direct services, sends messages and create 
instances of the architectural entities. The synchronism between tiers (considered as 
concurrent processes) is provided through CCS (Calculus for Communicating 
Systems) [Milner 1985] expressions. 

CCS expressions generate a set of traces over the architecture and the agents 
establish the restrictions, the sequence of execution and the synchronism between the 
concurrent tiers. The basic operators are the classic regular expressions sequence , 
alternative and repetition . The enhanced operators provide a notation to describe 
concurrency, using the known operators or-parallel , and-parallel and restriction. 
Several transitions can have the same source and target, i.e., the product mapping is 
not necessarily injective. The sequence of actions S(c) = Ht { ) k(r 2 ) is called the trace 
of the path. Intuitively, the label of a transition indicates the action or the event, which 
triggers the transition.' 


5.2 Code Generation 

When instancing MASs, agents or Infra components, the specifications captured and 
stored in XML file are transformed into reliable code using parser and generator 
programs. The parsers can read the specifications from the XML file using the 
standard XML document object model (DOM). DOM essentially maps every element 
of an XML document to an object Such an object has methods to access the 
element’s attributes, and DOM also supplies methods to navigate through documents 
and to locate the parent element and enumerate the child elements. After being parsed 
through the DOM, the information is supplied to the generator program, which 
transforms the parsed information into source code based on templates of MAS-CF 
entities. 

During the implementation phase, code generation occurs at two separate times. 
First upon the instantiation of the architectural elements by the framework, when the 
code of the structural model is automatically generated. At this stage, the MAS (if it 
has not been instantiated), the agents and the internal layers of the agents can be 
instantiated. Afterwards, only the abstract method of semi-finished component can be 
implemented or plugged. Thus, the implementation of the internal architecture of the 
agent becomes independent from the framework. 1 he internal implementation of the 
agents is free, and therefore any type of agent architecture or implementation model 
may be used. 

In the design of rational agents, the role played by attitudes such as beliefs, desires 
(or goals) and intentions have been well recognized in the AI and agents literature. 
Systems and formalisms that give primary importance to intentions are often referred 
to as BDI (Belief, Desire, Intention) architectures. BDI-like architectures model the 



agent’s behavior using a set of mental categories evolving in a mental cycle that 
allows the agent to make decisions and to act on the environment. These architectures 
raise from the process of deciding, moment by moment, which action to take towards 
its objectives. 

Figure 7 shows a partial view of the generated Java code for the Mas (here Mas is 
an instance of the abstract model MAS) class. The interface Masln (line 32), the 
parameters and the pre-condition (line 34) are supplied from the specification of the 
interface and the remaining items - states, transitions and actions - can be retrieved 
from the XML service specification. On line 36, the method runQ of the library class 
getState retrieves the current state of this specific instance. Line 38 performs the 
transition via switch for the case that corresponds to the current state. Inside each 
case, the method instanciaAgentQ of the abstract factory MasController is called and 
returns the instance responsible for forwarding or executing the requested service. On 
line 44, the target state is defined and stored using the method runQ of our library 
class setState (line 45). On line 46, the agent returned in the frame instance performs 
the action associated with the transition. 
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private 

final static int HasServiccReceive - 6; 
final static int MasServiceRequest “ 5; 
final static int DomainServiceReccive - 1; 
final static int Domains erviceRequeat » 2; 
final static int AgentServiceReceive - 10; 
final static int Inf raServiceRe quest - 20; 


states 


public void Has In (String service. Vector in. Vector out) — ► interface 
{ 

if ( (service . length( ) >0) ££ (in! -null) ) ► precondition 

{ 


int state - getState. run () ; 


svritch (state) { 

case HasServiceReceive: 
try 
< 


transition 


IFrameCreator frame - ( IFrameCreator) 

Has Controller . instanciaAgente (service, in, 
state - AgentServiceReceive; ► target state 

setState. run (st ate) ; 

frame, run (service, in, out); ► action 

break; 

) 

catch (Exception e) 

{ showMessage.run(e) ; 
break; 


> 


out) ; 


Figure 7 - Partial view of the generated code for the Mas class 

The code of the Mas class presented above is almost completely frozen (except the 
name of the interface In - Masln - on line 32, the name of the interface Out - MasOut 
- and the class name are hot-spots). It is completely generated when elements of the 
framework are instanced for the first time. The same happens for the classes Domain 
(through which different domains can be instanced) and Infra. The framework also 
generate the code for the abstract classes Agent and Component every time new 


agents or components are instanced. Specific implementation can be added on the hot- 
spots provided by the abstract classes of the last level. 

We argue that the reuse of organizational abstractions, as well as the interaction 
facilities provided by the architecture reduces the complexity and facilitates the 
development of the cognitive capacities of the agents (learning and autonomy), since 
complex properties such as interaction, adaptation and collaboration can be addressed 
separately by the architecture. In this fashion, agent implementation can be better 
focused on the maintenance of its structures of knowledge gathering and on its 
mechanisms of learning. 


6 Discussion and Related Works 

The concept of connection as an architectural entity was established on the first 
ADLs, such as Darwin [Mageel997], UniCon [Shaw-Garlanl996], Wright 
[Allenl997] and ACME [Garlang 1 997] . among others. The idea is to deal with 
aspects and system qualities in connectors, not in components. According to 
Szyperski [Szyperski2002], one of the problems with these approaches is that by 
introducing a pure connection-oriented approach, all components are restricted to only 
interact with other components if appropriately connected. On the other hand, a 
connector, when detailed, can easily heave substantial complexity and display a need 
to be partitioned into components itself. Thus, “connectors” turn into regular 
components and no special actions can be performed on the connections as such. 

The concept of explicit connector has been loosing ground as time passes. Some 
ADLs, such as Rapide, have a very weak notion of connectors. Connections are 
specified with bindings between the provided service of a component and the required 
service of another component. Faulkner [Faulkner2001] proposed an ADL for multi 
agent systems using a similar concept. In his approach, Faulkner uses components, 
interfaces and services as architectural entities, without connectors. Connections are 
implemented as bindings between provided interfaces and services. Szyperski 
[Szyperski2002] states “contextual component frameworks can be used to reintroduce 
the intercepting behavior of connectors, but this time at the level of context 
boundaries.” Contexts provide the generic-aspects, while components and/or agents 
provide the non-generic aspects of contexts by parametrizing generic contexts. 

Our approach has a very weak notion of connector. The interaction rules are 
managed and performed by the architecture, resulting in calls to the other agents and 
services inside or outside of the organization. Its semantics consists of the rules 
defining the subtype (and supertype) relationship between tiers, and the services 
ontology providing the necessary mechanisms to interoperability support. Wooldridge 
[Wooldridge2000] states that agents are not built considering the existence of other 
specific agents; the idea is that interdependencies are likely to be reduced to make the 
system more flexible and reusable. 



The preference for implicit connections, as opposed to explicit ones, is one of the 
key points in our approach, using a very weak notion of connector. Interaction rules 
are regulated and executed by the architecture, resulting in calls to other agents and 
components inside and outside the organization. The semantics consists of rules 
defining the relationship between superior and inferior layers and the ontology service 
providing support mechanisms necessary to interoperability. We share a concept 
introduced in [Wooldridge2000], whereas agents should not be built, assuming the 
existence of other specific agents; the idea is that interdependencies may be reduced 
to make the systems more flexible and reusable. 

Current frameworks for multi-agent systems such as JADE [Bellifemine2001], ' 
RETSINA [Sycaral999, Sycara2003], MESSAGE [Evans2002] and ZEUS 
[Azarmi2000] work with a structure much more focused on the individual properties 
of agents than on MAS architecture. These approaches provide an implementation 
that reinforces only partially the rules of interaction in the architecture. Unlike most 
frameworks for multi-agent systems, our framework focuses on the reuse of generic 
abstractional organizations instead on the individual agent properties such as roles, 
protocols and internal architecture. 


7 Contribution and Practical Results 

Our key contribution is to describe a MAS in an abstract and application-independent 
way, allowing large-scale reuse of the abstractional organizations. We were able to 
show, throughout the work, the support to architectural principles and the use of 
contextual compositions, allowing the reinforcement or solution at an architectural 
level, of some of the fundamental agency properties cited on Section 2 such as 
interaction , adaptation and collaboration . This makes the implementation of the 
agent much simpler since such aspects are addressed separately from the object’s 
functional implementation. The following properties were directly or indirectly 
addressed at an architectural level: 

• interaction : the rules of interaction established by the communication model 
forcing the instance of an agent to communicate via a control mechanism of 
the architecture makes possible the distribution and sharing of services in a 
transparent and independent way. 

• adaptation : the abstract factories of the Domain, MAS and Infra tiers allow 
new agents or new version of agents replacing obsolete ones to be easily 
“plugged” in our framework, ensuring high flexibility and adaptability since 
the agents can easily adapt its state and behavior in run-time to new 
environment conditions. 

• collaboration : the formalization of services through ontologies and catalogs 
communicate the semantics of the services provided by the agents and 
generic components, facilitating the assembly of composition and 
collaboration between agents via required- and provide- services. Forcing all 
agents to use a common vocabulary defined in one or more shared ontologies 


is an oversimplified solution especially when these agents are designed and 
deployed independently from each Other- 

Reusing an abstract architecture allows the reuse of not only architectural software 
design and implementation, but also of some agent properties that can be controlled 
via architecture mechanisms. Those benefits allow large-scale reuse reducing the time 
of system development and for system readiness. 

We have instantiated a medical application for behavioral therapy using our 
framework. We were able to verify the facilities provided by the framework and at the 
same time evaluate certain non-functional requirements such as applicability, 
usability and performance among others. The system, called MAS-CF Therapp 
[Caminada2004] provides services for a larger application that uses Virtual Reality on 
the therapy of autistic children and children with a psychosis diagnosis. The system 
works in a distributed web environment, through the HTTP and TCP/IP protocols 
using Java/JSP/Servlet technology in conjunction with a Java/T omcat server. 

For the first time our MAS-CF framework could be evaluated in a real world 
application. From the viewpoint of practical applicability and use of the described 
techniques, the following could be evaluated: 

• the contextual paradigm tiers of MAS-CF ; 

• the interaction model used by the framework; 

• the viability of using MAS as well as the interaction with Virtual Reality 
techniques in such a way as to aid and support behavior therapy. 

During the development process we could verify the advantages provided by the 
MAS-CF framework. The implementation of the agents was widely facilitated since 
the development was concentrated solely on the services provided and the 
relationships between layers necessary to providing these services. More concrete 
results will be obtained from future applications to be instantiated. 
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Abstract. One key issue in multi-agent systems (MAS) is their ability to in- 
teract and exchange information autonomously across applications. To secure 
agent interoperability, designers must rely on a communication protocol that 
allows software agents to exchange meaningful information. In this paper we 
propose using ontologies as such communication protocol. Ontologies capture 
the semantics of the operations and services provided by agents, allowing in- 
teroperability and information exchange in a MAS. Ontologies are a formal, 
machine processable, representation that allows to capture the semantics of a 
domain and, to derive meaningful information by way of logical inference. In 
our proposal we use a formal knowledge representation language (OWL) that 
translates into Description Logics (a subset of first order logic), thus eliminat- 
ing ambiguities and providing a solid base for machine based inference. 
The main contribution of this approach is to make the requirements explicit, 
centralize the specification in a single document (the ontology itself), at the 
same that it provides a formal, unambigous representation that can be proc- 
essed by automated inference machines. 


1 Introduction 

The anchor of our research is the multi agent architectural framework proposed in 
[Haendchen03]. So far we have analyzed the architectures of several multi agent 
platforms, notably MESSAGE [EvansOO], ZEUS [AzarmiOO], JADE [Vitaglione02] 
and proposed a framework whose innovative structural model overcomes most flexi- 
bility shortcomings of other platforms at the same time that promotes large scale 
architectural reuse. The Agent Framework is described in detail in [Haendchen 03, 
Haendchen 04]. 

In the elaboration process of the Agent framework, we have identified the need for 
a reference model that centralized the requirements for the services pro- 
vided/requested by agents operating within our domain in a meaningful way. The 
initial service specification was written in XML. The document was structured to 
reflect the MAS architecture hierarchy, i.e., each section corresponded to one of its 
architectural layers. Although highly structured, this document did not provide any 
further semantics to aid either the understanding, verification or validation of the 
specification. Agents could only interact if they shared the exact same specification. 



No negociation was possible, for the semantics of the services can not be fully 
expressed in XML. 

We decided to migrate to a more expressive representation. Ontologies were the 
natural choice, as they are becoming the standard for information interoperability on 
web [Gomez- Perez04] . With the adoption of a ontological representation it was pos- 
sible to formalize terms used in the previous XML service specification, i.e, services, 
objects, agents and components present in the architecture and the desired ways in 
which they should interact. In addition to the required syntax, the ontology specifica- 
tion was enriched with semantic content, thus allowing automatic verification, vali- 
dation with users, and the possibility of negotiating with agents using different ser- 
vice specifications. Different ontologies can be negotiated through the processes of 
alignment, mapping cm- merging [McGuiness02, Bouquet03, Breitman03b]. This 
problem is defined as semantic coordination and can be described as the situation in 
which all parties have an interest in finding an agreement on how to map their mod- 
els but given that there is more than one possibility, the right one (or a sufficiently 
good one) must be chosen [Bouquet03]. 

An ontology serves as the service specification of an agent operating in the do- 
main, and will be used in making ontological commitments among other software 
agents [FenselOl]. An ontological commitment is an agreement to use a vocabulary 
in a way that is consistent with respect to the theory specified by the ontology, i.e., an 
agreement on what local models are about to achieve user goals [Bouquet03]. We 
build agents that commit to our ontology. Conversely we design ontologies in order 
to share knowledge with and among these agents [Gruber93]. The ontology concen- 
trates the desired behaviors and service descriptions in a single document. It serves 
both as a specification and the reference model to which the agents operating in the 
domain should comply to. 

The rest of the paper is divided as follows: in the next section we briefly introduce 
the ontology definition and representation language we adopted in the context of our 
research. In section 3 we describe the context of our MAS. In section 4 we show an 
example of our approach. In section 5 we briefly describe the lessons learned from 
this experience and, finally in section 6 we provide our conclusion remarks and fu- 
ture work. 


2 Ontology 

In order to secure interoperability among autonomous agents, a protocol in which to 
exchange the necessary information to support this process is required. We argue 
that ontology, commonly defined in the literature as a specification of a conceptuali- 
zation , is the representation that will provide this requirement [Gruber98]. On one 
hand ontologies are expressive enough to capture the essential attributes present in 
MAS, in terms of their classes and relationships. On the other hand, ontologies pro- 
vide the necessary formality in which to perform automated inference and model 
checking. According to Tim Berners Lee, ontologies will allow machines to process 
and integrate Web resources intelligently, enable quick and accurate web search, and 



facilitate communication between a multitude of heterogeneous web-accessible 
agents [Bemers-LeeOl]. 

We adopt the ontology structure 0 proposed by Maedche [Maedche02]. According 
to the author, an ontology can be described by a 5-tuple consisting of the core ele- 
ments of an ontology, i.e., concepts, relations, hierarchy, a function that relates con- 
cepts non-taxonomically and a set of axioms. The elements are defined as follows: 


0 : = {C, R, H c , rel, A 0 } consisting of : 

• Two disjoint sets, C (concepts) and R (relations) 

• A concept hierarchy, H c : H c is a directed relation HP <= C x C which is 
called concept hierarchy or taxonomy. H c {Ci, Cz ) means Ci is a subcon- 
cept of C 2 

• A function rel: R—> Cx C that relates the concepts non taxon omically 

• A set of ontology axioms A °, expressed in appropriate logical language. 


Most existing ontology representation languages can be mapped to this structure, 
e.g. RDF, Oil and DAML, but there seems to be a consensus to adopt OWL as the de 
facto language to represent ontologies, OWL is being developed by the W3 consor- 
tium as an evolution of the DAML standard [HjemOl, HendlerOO, McGuiness03], 
The OWL Web Ontology Language is designed for use by applications that need to 
process the content of information instead of just presenting information to humans. 
OWL facilitates greater machine interpretability of Web content than that supported 
by XML, RDF, and RDF Schema (RDF-S) by providing additional vocabulary along 
with a formal semantics. The OWL specification comprises three increasingly- 
expressive sublanguages: OWL Lite, OWL DL, and OWL Full. OWL Lite supports 
classification hierarchies and simple constraints, e.g., cardinality. It is intended as 
quick migration path from taxonomies and thesauri, i.e., that are free from axioms or 
sophisticated concept relationships. OWL DL supports ", expressiveness while retain- 
ing computational completeness (all conclusions are guaranteed to be computed) 
and decidability (all computations will finish in finite time)" [McGuinees03] . 
DAML+OIL is equivalent, in terms of expressiveness, to OWL DL. Finally, OWL 
Full supports maximum expressiveness. According to the W3 consortium, it is 
unlikely that any reasoning software will be able to support complete reasoning for 
every feature of OWL Full. 

The existence of a large repository of ontologies also influenced our decision to 
migrate to OWL as the ontology representation language used in our projects. In 
table I we show the mapping between the nomenclature used by the 0 ontology 
model and the one adopted by OWL. 


Table 1. Tentdnology mapping between the O ontology structure and the ontology lan- 
guage OWL 


1 0 Ontology Structure 

OWL 

C 

Concept 

Class 

R 

Relation 

Property 

He 

concept hierarchy 

Subsumption relationship: 
SubClassOf 

rel 

function that relates the con- 
cepts non taxonomically 

Restriction | 

AO 

Axiom 

Axiom B 


OWL provides the modeling primitives used in frame based systems, i.e., concepts 
(or classes), the definition of its superclasses and attributes. Relations are also de- 
fined, but as independent entities, properties, instead of class attributes. The primi- 
tives provide expressive power and are well understood, allowing for automated 
inference. The formal semantics are provided by Description Logics (DL). DLs also 
known as terminological logics, form a class of logic based knowledge representation 
languages, based on the primitives above [Horrocks02]. DLs attempt to find a frag- 
ment of first order logic with high expressive power which still has a decidable and 
efficient inference procedure [Newell82, Heinsohn94]. FaCT is a working example 
of a system that provides reasoning support (i.e., consistency and subsumption 
checking) to OWL-encoded ontologies [HorrocksOl]. 

An OWL ontology is a sequence of axioms and facts, plus references to other on- 
tologies, which are considered to be included in the ontology. OWL ontologies are 
web documents, and can be referenced by means of a URL Ontologies also have a 
n on-logical component that can be used to record authorship, and other non -logical 
information to be associated with an ontology [OWL, McGuiness03]. 

In the next section we present the MAS Framework we have been experimenting 
with and relate the construction process of its service ontology. 


3 MAS Framework 

Agent-oriented software engineering extends the conventional components’ de- 
velopment approach, leading to the construction of more flexible and component- 
based MASs [Griss03], emphasizing reuse, low-coupling, high-cohesion and support 
for dynamic compositions. Rapid and problem-specific system construction can be 
attained through the. use of model-driven development and reuse techniques in order 
to achieve a more flexible, adaptable, robust and self-managing application. These 
properties can be constituted by the combination of several technologies, such as 
component-based software engineering [Griss03,24,38], frameworks [Bosh99, 




Fayad99, Pree99, Roberts98], design patterns [Gamma95, Larman98], rule-based 
systems [Gelfond93, Paton95, YuOO] and now ontologies [Fensel03, Bemers-LeeOl, 
HendlerOl]. The MAS Framework architecture comprises five layers: Domain, Multi 
Agent System (MAS), Agent, Module and Class. Figure 1 depicts the Framework 
architecture. Note that the Module and Class layers are located inside each agent, the 
modules are represented in Figure 1 by the circles labeled S30, S40, S50 and S51 
(the classes are not represented in the Figure. They are internal parts of the mod- 
ules). Note that there are two ontologies in the architecture, illustrated by circles S4, 
and S9. The first one, S4 is the upper ontology and contains the specification of 
shared domain services, i.e., infrastructure, interface and communication services 
that will always be instantiated by our Framework. This ontology was built by ex- 
perts and is part of implementation of the Framework. The second- ontology, located 
at the MAS level, illustrated by circle S9 in Figure 1 , represents the agent specific 
ontology. It contains hot spots where particular application services are to be speci- 
fied during the Framework instantiation process. As a consequence of the multi lay- 
ered architecture of the Framework, application services are specified under the 
domain level, i.e., as leaves of the upper ontology. For all practical purposes, the 
agent specific ontology is a composition of the upper ontology (top levels) with the 
addition of the specification of application specific services at the bottom levels 
(MAS and agent). 

Each MAS centralizes its service specification in a single document (represented 
by the circle labelled S 9 in Figurel). In bur architecture, agents preferentially receive 
services requirements through a single interface, instead of interacting directly with 
one another, using multiple interfaces. This communication is done using highly 
structured messages composed using the terminology formalized by the service 
ontology. This way, both the syntax required by the interface specification and the 
semantics associated to the terms used in the service request are now available. 
Providing clear semantics of of the terms in use, helps maintain clarity and 
transparency of the specification. It serves as an aid to the ontology validation 
process and also as a guide to non expert users in the processof including new 
service specifications at the agent layer. 

The. syntax of the services provided by each agent, and how they can be accessed, 
is provided by the interface specification. Thus, an essential part of the process is 
defining a syntactic description of each interface and how the services can be 
accessed. The aim of the service specification ontology is to identify the services 
associated with each agent, specifying the main properties of these services. For each 
service that may be performed by an agent, it is necessary to document its properties. 
In particular we must identify inputs, outputs, pre-conditions, post-conditions, 
parameters, states, transitions and rules. 

Initially we used an XML document to serve as the service specification. It 
contained descriptions of the services provided and interface parametrization. 
Although structurally sound, the XML document was found semantically weak and 
unfitting to describe some aspects of the service specification, e.g., rules and states. 
Migrating to an ontological respresentation was a natural move. 
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Fig. 1. - MAS Framework Architecture 


We had to question ourselves whether it was possible to express all the necessary 
information in the MAS service specification using the available ontology languages. 
As presented in section 2, the current W3C recommendation language for ontology 
modelling is OWL, the evolution of previous efforts in finding a standard ontology 
language. OWL comprises three different languages, the choice of which should be 
based in the level of expressiveness desired for the ontology in question. The first 
language, Lite OWL, was definetively not expressive enough to capture the necessary 
information present in the service specification. Our choice was between OWL-DL 
and Full OWL. The later, although allowing for maximum expressiveness, does not 
guarantee the possibility of automatic reasoning in computable time [OWL]. In our 
case, the use of inference to help verify overall specification consistency is very 
important, so we chose OWL-DL as the preferred language. The last ensures 
decidability and the existence of an efficient inference mechanism for the language 
[McGuiness03]. This choice, however, came with an additional modelling overhead. 
OWL-DL does not directly provide some modelling primitives, e.g., class attibutes 
and an-ary relationships. Those can be obtained by means of some workarounds . 
This is common practice in the mark up language community. Assuncfon Gomez- 
Perez, Mariano Femandez-L6pez and Oscar Corcho published a table of the most 
common workarounds (partially reproduced in Table II) [G6mez-Perez04] . 




We build ontologies using the lexicon based ontology construction process pro- 
posed in [Breitman03]. This process is influenced by our background in require- 
ments engineering and system specification and uses the Extended Lexicon of the 
Language (LEL) [Breitman03c, Leite93], referred to as Lexicon from here on, as the 
starting point. We initiate the process by building a Lexicon that captures the vo- 
cabulary of our application, i.e., the basic concepts and the relationships that bind 
them together in an informal way (using natural language). The Lexicon models a 
series of definitions of the services, objects, agents and components, present in the 
MAS architecture, and the desired ways in which they should interact. Such defini- 
tions evolve from an informal, natural language lexical representation to a formal, 
machine processable, ontological representation through the application of the lexi- 
con-to-ontology mapping rules defined in [Breitman03]. 

Table 2. Markup Language Workarounds 
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The Lexicon represents domain information obtained with the help of well known 
elicitation techniques, e.g. questionnaires, observation, structured meetings. It cap- 
tures both the denotation and connotation of important domain concepts. Differently 
from usual dictionaries, that capture the meaning (denotation) of an entry, the Lexi- 




con also captures its connotation, i.e., the behavioral response or impacts that a lexi- 
con entry might have in defining other entries [Leite93]. 

To build the service specification Lexicon we started with the elicitation of impor- 
tant domain * concepts. Those were present in the XML specification, but were not 
defined to satisfaction. To elidt their meaning, we applied questionnaires and struc- 
tured interviews with domain experts, i.e., the software engineers involved in the 
construction of the first specificatio In Figure 2 we show an example of a lexicon 
entry. We depict the Advisor entry. The Lexicon elicitation and construction proc- 
ess is fully described in [Breitman03]. 
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Fig, 2 - Screen snapshot of the Lexicon entry Advisor in the C&L tool 


To generate the formal ontology we applied the process proposed by Breitman & 
Leite to the newly built Lexicon. This process consists of a set of rules that map 
Lexicon entries into the five ontological elements proposed by Maedche, described in 
section 2. 

Lexicon entries are typed in one of subject, object, verb or situation. Depending 
on the type a different set of rales is applied to the Lexicon entry and will result in its 
mapping to either an ontology concept or property. The notion of a Lexicon entry is 
mapped into the description of its correspondent ontology concept. Its behavioral 


1 Please note that we use the term domain in the broad sense, signifying the application do- 
main as a whole. In this case, our domain is the entire multi agent framework, for which we 
intend to build a service specification, as opposed to its top layer that is incidentally named 
domain as well. 





responses serve as an aid in the identification of ontology properties, concept restric- 
tions and non taxonomical relationships among ontology concepts. Axioms come 
from the identification of disjoint or generalization relationships held among Lexi- 
con entries. The lexicon based ontology construction process is described in detail in 
[Breitman03]. This process is supported by C&L, an Open Source tool that auto- 
mates great part of the lexicon to ontology mapping process. Some design decisions 
have to be taken by the software engineer and can not be fully automated [Breit- 
man03c]. The tool also provides automated support for the creation and management 
of Lexicons [Felicfssimo04]. In Figure 3 we show the upper service ontology. 



Fig. 3 - Upper service ontology 

In this section we described the construction of the upper service ontology. 
Specific services provided by the agents are specificied in the application ontology, 
located at the MAS level, as shown in Figure 1 . As mentioned before, it is a direct 
consequence of the multi layer architecture of the Framework that specific agent 
services are specified as leaves, i.e., placed under the lowest levels of the upper 
ontology. Evidently, those services are particular to each implementation and can not 
be provided by the upper ontology. Those specifications must be included by a 
software engineer, as part of the implementation of the MAS itself, and vary case by 
case. In the next section we exemplify our approach. 


4 Academic Control System: an example 

To exemplify our approach we chose an academic control system MAS that tracks 
the undergraduate student advisement process. We focus on the services provided by 
the Advisor agent, as illustrated in Figure 4. 

In the advising process, a student fills out a registration form with his/her name, 
student ID, the current semester and the details of the course he/she would like to 
take. After sending the request, the student receives the final results, either an 


enabling password or the justification for denying the request. The Advisor has the 
function of taking the student request and to conduct preprocessing, validating the 
student, verifying the syntactic aspects. Checking the viability of the schedule, to 
direct the request result for the student or providing a request status. 



Fig. 4. System generic architecture as proposed in [Haendchen03], instantiated to the 
academic control MAS example 

The agent Chair can make a slot available whenever the class is full, and the 
agent Instructor can dismiss pre-requisites for a course. The instructor and chair 
agents exchange messages with human agents through well-defined and well- 
structured e-mail messages. The advisor receives the request and verifies syntactic 
aspects, if the student has the prerequisites to the intended courses and checks to see 
if there are vacancies in the desired classes. If these conditions are met, the advisor 
authorizes the request by signing it and gives the student the registration password 
needed to register for the course. If these conditions are not met, the advisor directs 
the request according to the arguments of the event to the student, instructor or to the 
chair. While the process is under way, the student can ask the advisor for informa- 
tion about the progress of the request by e-mail. In any case, the advisor returns the 
request to the student via e-mail, specifying the result. Based in this information we 
modeled the Lexicon of the services provided by the system. In the academic control 
MAS case we used interviews and observation techniques to help elicit lexical in- 
formation from the domain. 

Through a series of refinements, the academic control Lexicon was mapped to its 
formal ontology. This process was semi automated, for some human input is neces- 







sary at specific decision points. The C&L open source tool automates this process 
and was used to support the construction of the academic system ontology [Silva03]. 

In Figure 5 we show a screen snapshot of the ontology of services provided by the 
academic control system. We focus on the the domain_out interface. Please note that, 
however some restrictions are defined at concept level, there is a great number of 
other restrictions inherited by its super classes (see the restriction box in the lowest 
right corner of Figure 5). The super class of class domain_out is indicated by Classes 

box, namely domain_required^.) The ontology was implemented using the OilEd, a 
freeware tool for ontology editon developed at the University of Manchester, that 
exports to the chosen OWL format [BerchoferOl]. 



Fig. 5. The ontology concept domain_out implement using the OilEd tool. 


We took special care to ensure overall model quality. We have validated the 
Lexicon with the users and verified using inspections [Kaplan 00]. The ontology was 
verified using the FaCT (fast classification of terminologies) inference engine, 
publicly available at [FaCT04]. The reasoning services provided by this tool include 


2 The # symbol that appears as a suffix of the classes indicates the namespace of the class, 
i.e., the name of ontology where the specification of the class resides. OWL and similar 
mark up languages do not require that all concepts in the ontology are specified in the same 
document. By using the namespace mechanism, it is possible to reuse concepts defined in 
other ontologies, provided that a valid path to that document is given. 


inconsistency detection, determining subsumption and equivalence (among classes) 
relationships. 

In Figure 6 we illustrate an inconsistency identified with the aid of of the 
inference mechanism. The ontology has axiom that states that the classes MAS 
Security Checking an Domain Security Checking are disjoint, i.e., their intersection 
is empty. This is is illustrated by the panel in left, that contains the list of axioms for 
the Academic Control ontology. In the right most panel we depict the ontology, as it 
was being built In this process we specified a restriction in which a state would only 
be reached in the event that both MAS Security Checking an Domain Security 
Checking were activated. 



Fig. 6. Inconsistency in class domain_out 


This situation is an impossibility, for the classes are forcibly (as explicated by the 
axiom in the left pane) disjoint. During the construction of the ontology this fact 
passed noticed by the designers. The consequences this error may bring to the 
implementation of the MAS are very serious, for that may cause the agent to halt or 
lo cuter a dead loop state. This fault was automatically detected with the use of the 
reasoner, as illustrated in Figure 7. We depict three panes; In the first one we show 
the interface to the FaCT reasoner. This tool is built in common Lisp and makes 
inferences over a description logic representation of the ontology. The ontology 

editor, OilEd translates the ontology to SHIQ ( a description logic language 

dialect) and sends to the reasoner using a CORBA interface. On the second pane, 
middle one, we depict the log of the reasoning process. We enphasize that the class 
domain_out is unsatisfiable, but note that the reasoner also checks for errors in 



subsumption relationships and class instances. The third pane, rightmost, illustrates 
the graphical display of the inconsistency in the OilEd tool. Similarly to this case, 
the reason er helped us detect other inconsistencies in the ontology. We also 
performed manual verification, using a process very similar to software 
walkthroughs: we gathered a group of three designers and revisited the material 
during a planned meeting. The chief designer of the ontology served as group 
mediator and conducted the meeting. The errors found we mostly sintactical, e.g., 
classes, properties and restrictions wrongly named or typos. A few inconsistencies 
such as the one illustrated in Figure 6 were also found. We noticed that the 
inheritance mechanism makes it very hard to identify inconsistencies when they are 
the result of a composition of restrictions that appear in different levels, i.e., one was 
defined at class level and the other was inherited from a super class. It is important 
to note that all of this type of inconsistencies were also detected by the reasoner in a 
later moment. We concluded that manual verification is worthwhile, for it helps 
identify problems that could not be otherwise detected. Practitioner should, however, 
focus in the terminology, usage and validation of ontological terms. Inconsistencies 
are more sistematically detected with the aid of an automatic reasoner. 

The reasoner was also useful in the identification of a group of classes that 
partook a similar setting. To illustrate this situation we present the example of class 
alert condition. This class, as illustrated in Figure 7, is defined if two of its 
restrictions are true, namely in!= null and security_check = 7) . We 
defined this class in the ontology of the type SameClassAs, i.e., this is a necessary 
and sufficient condition to define any other class that possesses those requirements as 
a similar to class alert condition) 

Class domainjout of the Academic Control ontology is an example of a class that 
fullfills this requirement. We depict this class and its restrictions in Figure 8 as 
follows. Note that one of the restrictions was specified among the class natural 
restrictions, the second came as an inherited restriction from its super class, 
domainjrequired. This mechanism is very interesting to help ensure that some 
conditons are met across the ontology. 











As an illustration we also show the OWL code for the Domain jout class in Table 
3. Note the similarity to XML, and the fact that the language uses RDF constructors, 
e.g., subClassOf. This is intentional and is a direct consequence of the “wedding 
cake” architecture for ontology languages proposed by Tim Berners-Lee [Fensel03]. 
This model reflects the evolution of ontology mark up languages. Each new gain in 
semantics resulted in the construction of a new language layers, put on top a XML 
basis. The first layer was RDF, followed by RDF Schema. Because those were not 
expressive enough, a new wave of languages, including DAML, OIL and now OWL 
was proposed and put on top of the RDF layer. The result is that an OWL document 
contains OWL specific markup as well as primitives imported from layers below, 
e.g., rdfs: label. 


Table 3. Example of OWL code for the domain_out class (partially represented) 

cowl : Class rdf : about =" file: /C: /Documents /AcademicAplicat ions .owl #domain_out"> 

<rdf s : label>domain_out</rdf s : label > 

< rdf s : comment x ! [CDATA [ ] ] x/rdfs : comment > 

coiled: creationDatex ! [CDATA [ 2004-04-18T22 : 20 : 56Z] ] x/oiled : creationDate> 
coiled icreatorxj [CDATA [Karin J ] x/oiled : creator> % 

crdf s : subClassOf > 
cowl : Clas 

rdf :about=" file: /C : /OilED/ontologies/AcademicAplications . owlfdomainjcequired" /> 

' < /rdfs: subClassOf > 
crdf s : subClassOf > 

cowl : Restr iction> 
cowl : onProperty 

rdf :resource=" file: /C : /Documents /Karin/AcademicAplications . owl#public " /> 
cowl : hasClass> 
cowl:Thing/> 
c/owl :hasClass> 
c/owl : Restriction 
c/rdf s : subClassOf > 
crdf s : subClassOf> 

cowl : Restr iction> 
cowl : onProperty 

rdf : resources " f ile : /C : /Documents/Karin/AcademicAplications . owl #void" /> 


We must finally remark that a great level of ontology reuse is achieved as a result 
of our multi level Framework architecture. Generic services provided by every MAS 
are specified by the upper ontology and need not be specified again. The only ser- 
vices that require a specification effort are those particular to the agent in question. 
Even so, some of the inputs, pre and post conditions may be inherited from the super 
class under which the service is to be specified. The reuse of specifications not only 
reduces overall effort, but also serves to ensure quality because we are making use of 
a specification that was built by experts (less prone to mistakes), was verified by 

inspection, and has been tested in other applications^. 


3 It is important to note that the upper ontology is continuously being refined as a result of 
reports from practitioners. 




5 Lessons Learned 


The evolution from the XML service specification to an OWL ontology was an over- 
all positive experience. Our initial concerns related to the power of the ontology 
representation to convey specification details were lifted as we were able to model 
every concept in the service specification in the ontology. During this process some 
workarounds were needed, specially to formalize attributes such as function parame- 
ters and transitions. 

The use of the FaCT reasoner helped verify the ontology and improve its overall 
quality. Automatic verification helped detect: inconsistencies (pre and post condi- 
tions, parameters, undesireable situations), errors, and some omission. Additional 
verification mechanisms will have to be used, as strings (e.g. Regular expressions) 
are processed as a block by the reasoner. 

Our experience in building the service ontologies to support our MAS communi- 
cation exchange has shown that this task is a very complex one. Despite the exis- 
tence of methods to support ontology construction, it still remains more of a craft 
than a science [Femandez-Lopez97 , Gruninger95, NoyOl-b, Sure03, Ushold96, 
Breitman03]. The decisions that have to be taken during this process, e.g., decide 
whether a concept should be mapped into a class or property, are very difficult and 
require expertise in concept modeling. By the same rule, the workarounds that have 
to be used in order to represent relevant specification concepts in the ontological 
representation are not trivial. It requires the ability to identify such concepts and to 
engender a workaround that maximizes the power of expression of the ontology. 

Finally tool support for visualizing ontologies is still very poor. For ontology edi- 
tion we have been using OilEd and Prot6g6 [BerchoferOl, NoyOl]. Both tools fulfill 
our current editing requirements and have proven very reliable and easy to use. Our 
main concern today is the need for a tool that allows for a better visualization of the 

ontology, to help in the validation process^. 


6 Conclusion 

In this paper we propose to using ontologies as a means to capture and publish the 
specifications of the services provided by the agents in a MAS. The ontology makes 
the requirements explicit, centralizes the specification in a single document, at the 
same that it provides a formal, unambigous representation that can be processed by 
automated inference machines [SowaOO]. The main contribution of this approach is 
to put in practice a standardized reference model when specifying new agents, com- 
ponents and object behavior in a MAS. We showed the feasibility of the approach by 


4 Both OilEd and Protege provide visualization plug-ins. Those are static drawings of the 
ontology, usually too big and cumbersome. Neither plug in provides the necessary function- 
ality required in the validation process. 



means of an example in which we constructed an ontology that specified the services 
provided within an academic control MAS. 

The change from an XML representation to a OWL resulted in real quality gain 
for the service specification. The current ontological representation is more reliable, 
for it can be automatically verified. Consistency is thus guaranteed by automatic 
inference. Furthermore Results from our analysis process (verification and valida- 
tion) confirm that the OWL specification is more consistent and error free than the 
previous XML one. 

The use of ontologies opens the possibility of interfacing with other MAS envi- 
ronments. As envisioned by James Hendler, the web of the future will be composed 
of a multitude of websites, network services and databases, each operating with its 
own local and contextualized ontology [HendlerOl]. There is an ongoing effort to 
support the integration and alignment of different ontologies, in order to support 
communication and services exchange [Breitman03-d, Bouquet03, McGuiness02]. 
The ability to align different ontologies will make it possible to probe and request 
services in truly open ended environments, such as the web [HeflinOl]. 

We are currently experimenting with semantic coordination of MAS ontologies.. 
We have developed a mechanism to align two different ontologies, CATO, that is 
publicly available in internet [Felicfssimo04]. We are using this mechanism to help 
integrate MAS operating in the health care domain. Our current experiment is trying 
to integrate services provided by a multi agent system used for the diagnoses and 
treatment of altistic children to similar health care multi agent systems. Our inten- 
tion is to use the integration process to negotiate among different MAS thus provid- 
ing new services that were not initially available, e.g., we are currently trying to 
align our MAS to the Retsina Calendar Agent as to provide appointment services. 

The service specification ontology serves us in two ways. Externally of our 
Framework, the ontology communicates the semantics of the services provided by 
agents of our domain, thus allowing for exchanges among different MAS and inter- 
action with other agents in Open Ended environments, such as the World Wide Web. 
Internally to our Framework structural, the ontology serves as a formal specification 
of the catalog of services provided. Every agent/component operating within our 
structural model must abide to the specifications dictated by the domain services 
ontology. The same is true to components and objects. 

Future work includes the investigation of a visualization mechanism that would 
allow for the separation and display of services provided by each layer. The user 
interface of this mechanism will be inspired in the vision mechanisms of relational 
databases. At the same time we are considering the development of new plug ins that 
implement additional verification routines (e.g. lexical and syntactic analysers for 
strings - parameters, regular expressions), that are not currently covered by the in- 
ference mechanisms. 
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Abstract. The task addressed here is a dynamic search through a bound- 
ed region, while avoiding multiple large obstacles, such as buildings. In 
the case of limited sensors and communication, maintaining spatial cov- 
erage - especially after passing the obstacles - is a challenging problem. 
Here, we investigate two physics-based approaches to solving this task 
with multiple simulated mobile robots, one based on artificial forces and 
the other based on the kinetic theory of gases. The desired behavior is 
achieved with both methods, and a comparison is made between them. 
Because both approaches are physics-based, formal assurances about the 
multi-robot behavior are straightforward, and are included in the paper. 


1 The Sweeping and Obstacle Avoidance Task 

The task being addressed is that of sweeping a large group of mobile robots 
through a long bounded region (a swath of laud, a corridor in a building, a 
city sector, or an underground passageway/tunnel), to perform a search, i.e., 
surveillance. This requires maximum coverage. The robots (also called “agents” ) 
are assumed to lack any active communication capability (e.g., for stealth), and 
to have a limited sensing range for detecting other agents/objects. It is assumed 
that robots near the corridor boundaries can detect these boundaries, and that 
all robots can sense the global direction that they axe to move. As they move, 
the robots need to avoid large obstacles (e.g., buildings). This search might be 
for enemy mines, survivors of a collapsed building or, alternatively, the robots 
might be patrolling the area. It is assumed that the robots need to keep moving, 
because there are not enough of them to view the entire length of the region 
at once. In other words, the robots begin scattered randomly at one end of the 
corridor and move to the opposite end (considered the goal direction). This is a 
“sweep.” Once the robots get to the far end of the corridor, they reverse their 
goal direction and sweep again. Finally, if stealth is an issue then we would 
like the individual robot movements to be unpredictable to adversaries. It is 
conjectured that the behavior of a gas is most appropriate for solving this task, 
i.e., each robot is modeled as a gas particle. 



2 Prior Approaches 


There axe many different methods for controlling groups of autonomous agents 
(swarms). Balch and Arkin [1] present a very popular approach - using behavior- 
based techniques. Behavior-based control uses a layered architecture based on 
arbitration between a suite of behaviors, such as avoidance, exploration, and 
planning. Although this technique has been successful in maintaining agent for- 
mations while going around obstacles, unfortunately it requires a lot of active 
communication and, typically, it requires small groups of heterogeneous agents 
that have prespecified roles. Fredslund and Mataric [2] present another behavior 
based technique using local interactions to create formations and avoid obstacles. 
This approach has already been ported to robots and experimental results show 
its successes at avoiding obstacles that are roughly the same size as the robots 
themselves. However, no solution is presented for the challenging case where the 
obstacle is the size of a city building. 

Other research uses ethological models such as ants or bees to control the 
robots. In one such study [3], agents are modeled as individual ants in the colony. 
In this study, the robots leave long-term traces in the environment and require 
directed graphs to be imposed onto the terrain. 

The approaches to swarm control that axe of interest to us axe rooted in 
physics. Spears and Gordon [4] have provided a technique called physicomimet- 
ics for controlling large groups of agents (modeled as particles), using virtual 
physics-based forces to move the agents into a desired formation, e.g., a hexag- 
onal lattice. This technique scales well to large groups of agents and uses only 
local interactions. Using physicomimetics, agent swarms do a very nice job of 
staying in formation and avoiding obstacles, without the need for active com- 
munication, long-range sensing, or prespecified roles [5]. Nevertheless, a problem 
still exists when the agents are presented with a very large obstacle, e.g., a build- 
ing in a city. As the agents move around the obstacle, they axe unable to detect 
the agents that have chosen to move around the other side of the obstacle. Be- 
cause of this, they are never able to regroup and leave an exposed and uncovered 
area downstream of the obstacle. The problem is that physicomimetics has tra- 
ditionally been run in a mode that mimics the behavior of a crystalline solid. 
Yet solids are rigid and do not expand to fill/cover a region. This is the reason 
for investigating a gas approach to physicomimetics. The approach of Decuyper 
and Keymeulen [6] shows that a fluid metaphor works for solving arbitrarily 
complex mazes. The idea behind this research is that particles in a fluid auto- 
matically adapt to changes in the environment because of the fluid’s dynamics. 
The research of Decuyper and Keymeulen has proven that the fluid metaphor is 
effective, but their approach requires a global grid in order to compute the fluid 
flow through the system. Our research, on the other hand, applies this same fluid 
metaphor, but using only local interactions. 



3 Motivation for Gas Models 


Both liquids and gases are considered fluids, but this paper focuses on gases. 
Gases offer excellent coverage, unpredictability of particle locations, and they 
can be bounded. In general, fluids (gases and liquids) are able to take the shape of 
their container and therefore are well suited to avoiding obstacles. Fluids are also 
capable of squeezing through narrow passages and then resuming full coverage 
when the passage expands. With gases, if we model a container, the gas will 
eventually diffuse throughout the container until it reaches an asymptotic state. 
Because gases have this property but liquids do not, gases are a more natural 
way to think of how to get particles around an obstacle, and why we chose to 
model a gas. Once the particles have moved around an obstacle, fluids have the 
ability to regroup. For example, consider releasing a gas from a container at the 
top of a room with obstacles. The gas inside the container is slightly heavier than 
the surrounding air. As the gas slowly falls to the ground, it separates around 
obstacles and expands back to cover areas under the obstacles. 

Agents capable of mimicking fluid flow will be successful at avoiding obstacles 
and moving around them quickly. By mimicking gas flow in particular, the agents 
will be able to distribute themselves throughout the volume once they have 
navigated around the obstacle. 

This article presents two formal gas models to solve the problem described 
above, and then compares them. The first approach is physicomimetics, also 
called artificial physics (AP). The second is kinetic theory ( KT % which models 
virtual inter-particle and particle-wall collisions. Both of these approaches are 
amenable to straightforward physics analyses for providing behavioral assurances 
of the robot collective [7], [8]. 

4 The Physicomimetics Approach 

Spears and Gordon [4] have created the artificial physics (AP) framework to 
control groups of autonomous agents. The goal of AP is one of reducing the 
potential energy of a system. Each agent in the system experiences a repulsive 
force from other agents that are too close, and an attractive force from other 
agents that are too far away. These forces, which are based on Newtonian physics, 
do not really exist in a physical sense, but the agents react to them as if they were 
real. Each agent can be described by a position vector x and a velocity vector 
v . Time is maintained with the scalar variable t. The simulation can be run in 
either 2D or 3D (to model swarms of micro-air vehicles). Agents in the system 
update their position, x , in discrete time steps, At. At each time step, each 
agent updates its velocity, v, based on the vector sum (resultant) of all forces 
exerted on it by the environment, which includes other agents within visibility 
range, as well as repulsive forces from obstacles and attractive forces from goals. 
This velocity, v, determines Ax , i.e., the next move of the agent. In particular, 
at each time step, the position of each particle undergoes a perturbation Ax. 
This perturbation depends on the current velocity, i.e., Ax = vAt. The velocity 



of each particle at each time step also changes by Av. The change in velocity 
is controlled by the force on the particle, i.e., Av = FAt/m , where m is the 
mass of that particle and F is the force on that particle. Note that this is the 
standard, Newtonian F = ma equation. 

By setting system parameters in AP, we can mimic solid, liquid, or gas states, 
as well as phase transitions between these states [7]. Traditionally, AP models a 
solid. To model a gas with AP, all agents experience purely repulsive forces from 
other agents as well as from obstacles and the side boundaries of the corridor. 3 
Although AP was not designed to be an exact model of a gas, we have found 
that its behavior does a good job of mimicking a gas. 


5 The Kinetic Theory Approach 


There are two main methods for modeling fluids: the Eulerian approach, which 
models the fluid from the perspective of a finite volume fixed in space through 
which the fluid flows (typically the method of computational fluid dynamics), and 
the Lagrangian approach, in which the frame of reference moves with the fluid 
volume (typically the kinetic theory approach) [9]. Because we are constructing 
a model from the perspective of the agents, we choose the latter. Kinetic theory 
(KT) is typically applied to plasmas or gases, and here we model a gas. This 
overview of KT borrows heavily from Garcia [10]. 

When modeling a gas, the number of particles is problematic, i.e., in a gas 
at standard temperature and pressure there are 2.687 x 10 19 particles in a cubic 
centimeter. A typical solution is to employ a stochastic model that calculates and 
updates the probabilities of where the particles are and what their velocities are. 
This is the basis of KT. One advantage of this model is that it enables us to make 
stochastic predictions, such as the average behavior of the ensemble. The second 
advantage is that with real robots, we can implement this with probabilistic 
robot actions, thereby avoiding predictability of the individual agent. 

In KT, particles axe treated as possessing no potential energy (i.e., an ideal 
gas), and collisions with other particles are modeled as purely elastic collisions 
that maintain conservation of momentum. Using some of the formulas for ki- 
netic theory, we can obtain useful properties of the system. If we allow k to be 
Boltzmann’s constant, such that k = 1.38 x 10~ 23 J/K, m to be the mass of 
the particle, and T to be the temperature of the system, then we can define the 
average speed of any given particle (in 3D) as. 



vf(v)dv — 


2V2 



where f(v) is the probability density function for speed. 

Another property we can define for KT is the average kinetic energy of the 
particles: 

(K) = (\mv 2 ) = \kT 

3 A frictional force is also included in the AP solid model, but is excluded in gas AP. 



Using KT, we are able to model different types of fluid flow. For our simula- 
tions, we modeled 2D Couette flow. The original code for this one-sided Couette 
flow is a translation of code from Garcia [10] to the Java programming language. 
Figure 1 shows a schematic for this one-sided Couette flow, where we have a 
fluid moving between two walls - one wall moving with velocity v wa ii , and the 
other stationary. Because the fluid is a Newtonian fluid and has viscosity, we see 
a linear velocity profile across the system. Fluid deformation occurs because of 
the sheer stress r, and wall velocity is transferred because of molecular friction 
on the particles that strike the wall. On the other hand, the particles that strike 
the non-moving wall will transfer some of their velocity to it. This does not 
cause the wall to move, since in a Couette flow the walls are assumed to have 
infinite length and therefore infinite mass. We chose a Couette flow so that we 
can introduce energy into the system and give the particles a direction to move. 
This effect is similar to AP modeling a goal force. 



Fig. 1 . Schematic for a Couette flow 


The main differences between AP and KT are: (1) AP deals with forces. KT 
deals only with the resulting velocity vectors . (2) With the current force law used 
by AP, interactions are “soft collisions i.e., repulsive forces cause small devi- 
ations in agent velocities. In KT, collisions cause radical, probabilistic changes 
in agent velocities. (3) For a given set of starting locations, AP is deterministic, 
whereas KT is stochastic . 


6 Implementation 


We created a 2D simulation world with a pair of corridor walls (which can be 
considered Couette walls), obstacles, and agents (modeled as gas particles). The 
fluid flow is unsteady with no turbulence, i.e., unsteady laminar flow. 

First, we describe our AP gas approach, in which motion is due to attractive 
and repulsive forces. Recall that AP uses virtual Newtonian force laws. The force 
law used is: 


F=\F\ = 


Gmim 2 


(i) 



where G is a gravitational constant 4 , m\ and m 2 are the masses, and r is the 
distance between the agent and another object /agent. For a robotic implementa- 
tion, there is a maximum possible force, Fmax , i-e., F < F max always. The value 
of Fmax used in our simulations is 1.5. The parameter G is set at initialization of 
the program. To maintain a desired distance, R , between agents in an AP solid, 
this force is repulsive if r < R and attractive if r > R. For an AP gas, the force 
is always repulsive. Each agent has one sensor to detect the range and bearing to 
nearby agents, and one effector to move with velocity v. To make the simulation 
a realistic model of robots, agents can only detect other agents/objects within a 
limited range, namely, 1.512. Our implementation assumes R = 50. 

The corridor and obstacle wall forces are purely repulsive. For AP, the large- 
scale fluid motion is driven by an attractive goal force at one end of the corridor. 
Different force constants, G, are allowable for inter-agent forces and agent-wall 
forces. However, this paper assumes the same G, namely, 1,200. Note that if the 
forces for avoidance of an obstacle are equal to the attractive forces felt by the 
goal, the particles reach a stagnation point at the intersection with the obstacle 
- because all of the forces felt by the particle are in balance. To overcome this 
situation, when a particle experiences a repulsive force from an obstacle or wall 
that is the same in magnitude but in the opposite direction of the goal force, the 
particle translates this into a tangential repulsive force. When choosing an angle 
for the tangential force we must be careful to keep the particle from reaching 
a stagnation point and keep the particle from moving through the obstacle. 
Rotating the angle by 45° produces this result nicely. In particular, if the angle 
of the force is 180° then the angle for this force becomes 135° or 225°, depending 
on the direction chosen by the robot. 

In parallel with the AP approach, we have also implemented the KT ap- 
proach. Our KT approach models a modified (two-sided) Couette flow in which 
both Couette walls are moving in the same direction with the same speed. We 
invented this variant as a me ans of propelling all agents in a desired general 
direction, i.e., the large-scale fluid motion becomes that of the walls. Particle ve- 
locities start randomly and remain constant, unless collisions occur. (Note that 
with actual robots, collisions would be virtual, i.e., they would be considered to 
occur when the agents get too close. Wall motion would also be virtual.) The 
system updates the world in discrete time steps. At. We choose these time steps 
to occur on the order of the mean collision time for any given agent. Each agent 
can be described by a position vector x and a velocity vector v . At each time 
step, the position of every agent is reset based on how far it could move in the 
given time step and its current velocity: 

x <— x 4* vAt . 

This is done for every agent in the system, and positions are updated re- 
gardless of walls and obstacles as well as other agents. Once the current agent’s 
position has been updated, a check is performed to see if that agent has moved 

4 G is not related to actual gravity (which is purely attractive), but is a force constant 
used in the system. 



through a wall (including an obstacle wall), in which case the position needs to 
be reset as if a collision occurred. If the agent strikes a moving wall, then some 
of the energy from the wall is transferred to the agent. This effect models the 
molecular friction of the fluid and speeds up the agent. The agent’s position is 
reset as a biased Maxwellian distribution, based on where the agent strikes the 
wall and how far the agent would have been able to move if the wall were not 
there. On actual robots, wall collision detection will be done prior to moving. If 
the robot will intersect with the wall on its next move, then it determines its new 
position based on a collision, rather than actually colliding with the wall. Once 
all agents have moved and their positions have been reset based on collisions 
with the walls, inter- agent collisions are processed. The number of collisions in 
any given region is a stochastic function of the number of agents in that region 
(see [10] for details). This process continues indefinitely or until a desired state 
has been reached. 

We have just described the KT approach to modeling Couette flow, modi- 
fied with a two-sided Couette. We next introduce obstacles into the world, and 
consider different methods for modeling interactions with obstacle walls. 

For one, we could use a KT approach that treats the obstacle boundaries as 
stationary walls, and processes collisions the same as is done with Couette walls. 
Unfortunately, in the pure KT approach, agents do not perceive the location of 
an obstacle until they have collided with it. When colliding with an obstacle, 
the velocity of the particle off the obstacle is distributed Maxwellian in the goal 
direction and Gaussian in the lateral direction (i.e., orthogonal to the longitudi- 
nal goal direction). This produces excellent results when steady state is reached. 
A problem arises, however, since we are not modeling a steady state fluid flow. 
If we were given a steady flow, agents in the system would collide with other 
agents coming down the flow and through collisions would be pushed around 
the obstacle. Since flow is unsteady, one of the last agents in the system (i.e., 
upstream from all the other agents) could strike an obstacle and end up going 
in the opposite direction with no mechanism to turn it around. 

The traditional AP (solid) approach to obstacle avoidance does extremely 
well at navigating around obstacles. Unfortunately, the AP solid approach does 
not maintain a good coverage of the environment once the particles have navi- 
gated around the obstacle. Figure 2 shows this in simulation. However, the AP 
gas approach (with repulsion only) is able to navigate around obstacles and re- 
tain good coverage, see Fig. 2. A question remains, nonetheless, as to whether 
we could do even better by combining AP and KT. 

To address this question, we created a hybrid AP/KT algorithm, in which 
wall collisions generate large-scale motion, AP repulsive forces enable obstacle 
avoidance, and KT is responsible for agent-agent interactions. By treating the 
obstacle as a repulsive force, the agents softly bounce off the obstacle walls. This 
force causes the agent to turn, thereby allowing more particles to make it around 
the obstacle. Since the particles turn softly, they are more likely to hit one of the 
moving walls and continue in the direction of the flow until they have made it 
around the obstacle. We are able to achieve an even distribution of particles past 





the obstacle with this hybrid, as well as increase the number of particles that 
make it past in a shorter amount of time. Figure 3 shows the hybrid approach. 
Note that numerous alternative hybrids of AP and KT are possible; investigation 
of these others will be a topic for future research. 



Fig. 3. KT controllers perform a sweep. A. KT B. AP/KT hybrid 


7 Experimental Results 

To discover the strengths and weaknesses of each of our four methods (AP solid, 
AP gas, KT gas, and the AP/KT gas hybrid), we ran numerous empirical ex- 
periments with the simulator. Typical results are shown in Figures 2 and 3. 
In these figure, particles begin at the top and move to the bottom (which is the 
goal direction). The y-axis is vertical and the x-axis is horizontal. Our starting 




point was the AP solid approach to obstacle avoidance. Agent formations stayed 
intact with this approach, but coverage was very poor. AP gas yielded results 
far better than AP solid for coverage behind the obstacles (Fig. 2). 

Like AP gas, pure KT has yielded excellent coverage. However, problems 
arose with KT because of the unsteady fluid flow, as discussed above. Further- 
more, because of the unsteady nature of the flow, it typically took longer for the 
entire group of KT particles to get around all of the obstacles (if they were able 
to do so) than for AP particles to get around the obstacles. 

Recall that the hybrid AP/KT approach avoids stagnation points. Other 
difficulties arise for the AP/KT method. One difficulty arises when two obstacles 
are very close together, i.e., sufficiently close that the forces exerted from them 
are able to dominate the goal forces and inter-particle forces. This leaves us with 
unexplored areas inside our corridor of obstacles (Fig- 4). All methods using 
force laws had problems dealing with this situation. 



Fig. 4. Obstacle field that has a narrow corridor within. The force-based methods will 
be unable to explore this area 


We have also encountered another potential problem for the KT approaches. 
The problem does not appear to be due to agent- agent interactions. Rather, 
the problem arises when trying to address both the large-scale movement and 
avoidance of multiple obstacles. We notice this when the obstacle density is 
increased between the walls. Because the KT methods use collisions with Couette 
walls for propulsion in a goal direction, the width of the region between these 
walls determines the coverage of the world. In particular, if the walls contain a 
group of obstacles several layers abreast, we cannot guarantee that the central 
region of the Couette, far from the walls, will be covered by the agents. The pure 
AP models do not have this problem. 

In summary, AP solid has very poor coverage, whereas all of the gas models 
produce excellent coverage, which reaffirms our motivation for choosing gas mod- 
els. AP and AP/KT hybrid are better than KT for navigating around obstacles, 
although they have greater difficulty navigating through narrow corridors. 




8 Theoretical Predictions 


One of the key benefits of using a physics-based multi-agent system is that exten- 
sive theoretical (formal) analysis tools already exist for making predictions and 
guarantees about the behavior of the system. Furthermore, such analyses have 
the added benefit that their results can be used for setting system parameters 
for achieving desired multi- agent behavior. The advantages of this are enormous 
- one can transition directly from theory to a successful robot demo, without 
all the usual parameter tweaking. For an example of such a success (using AP 
solid), see [5]. To demonstrate the feasibility of applying physics-based analysis 
techniques to physics-based systems, we make predictions that support some of 
our claims regarding the suitability of gas models for our surveillance task. 

Before describing the experiments, let us first present the metric used for 
measuring error between the theoretical predictions and the simulation results. 
Relative error is used, which is defined as: 

| theoretical — actual \ 
theoretical 

For each experiment, one parameter was perturbed (eight different values of the 
affected parameter were chosen). For each parameter value, 20 different runs 
through the simulator were executed, each with different random initial agent 
positions and velocities. The average relative error (over the 20 runs) and the 
standard deviation from the average were determined from this sample. 

Next, consider the experiments. Recall that our objectives are to sweep a 
corridor and to avoid obstacles along the way. A third objective for the swarm 
of agents is that of coverage. We define two types of coverage: longitudinal (in 
the goal direction) and lateral (orthogonal to the goal direction). Longitudinal 
coverage can be achieved by movement of the swarm in the goal direction; lat- 
eral coverage can be achieved by a uniform spatial distribution of the robots 
between the side walls. The objective of the surveillance task is to maximize 
both longitudinal and lateral coverage in the minimum possible time. The num- 
ber of particles, initial distribution of particles, and termination criterion are 
determined individually for each experiment, based on earlier studies. 

To measure how well the robots achieve the task objective, we observe: 

1. The distribution of velocities of all agents in the corridor. This is a 
measure of both sweep time and total coverage (i.e., a wide distri- 
bution typically implies greater coverage of the corridor length and 
width) . 

2. The degree to which the spatial distribution of the robots matches 
a uniform distribution. This is a measure of lateral coverage of the 
corridor 

3. The average agent speed (averaged over all agents in the corridor). 
This is a measure of total coverage. 

Measurement of each of these three aspects of the system (velocity distribution, 
spatial distribution, average speed) corresponds to each of our three experiments. 



an 


Recall (above) that for each experiment, we vary the value of one parameter. The 
reason for varying such parameter values is to allow a system designer to optimize 
the design - by understanding the tradeoffs involved. In other words, we have 
observed that there is a tradeoff between the degrees of longitudinal coverage, 
lateral coverage, and sweep speed - greater satisfaction of one can lead to reduced 
satisfaction of the others, making this a Pareto-optimization task. By varying 
parameter values and showing the resulting velocity and spatial distributions 
and average speed, a system designer can choose the parameter values that 
yield desired system performance. Finally, why show both theory and simulation 
results for each experiment and each parameter value? Our rationale is that it 
is far easier for a system designer to work with the theory when deciding what 
parameter values to choose for the system. The designer can do this if the theory 
is predictive of the system. In our experimental results below, we show that the 
theory is indeed predictive of experimental results using our simulation. 

For the sake of simplicity, in these experiments we use a subtask of our 
complete surveillance task. None of the experiments involve obstacles. For the 
first experiment, the agents are placed uniformly along the beginning of a long 
corridor and allowed to perform one sweep. In the second experiment, the agents 
are placed in a square container in an initially tight Gaussian distribution and 
allowed to diffuse to an asymptotic state. For the final experiment, the agents are 
placed at the beginning of a long corridor once again, and allowed to run for a 
predetermined number of time steps, after which the average speed is measured. 
In the second and third experiments, there is no goal force or wall movement, 
and therefore there is no directed bulk movement (transport) of the swarm. 


8.1 Experiment 1: Velocity Distribution 

The first theoretical prediction for our system is devoted to longitudinal coverage 
and sweep speed via movement. The theory predicts the velocity distribution for 
each of the approaches, AP and KT. It is assumed that fluid flow is in the 
y-direction (downward toward the goal), as in Fig. 2. 

Recall that the AP approach is an implementation of F = ma. Assuming 
F y = y, where g is the magnitude of the goal force, which is constant for all 
particles and is strictly in the goal direction, and assuming m = 1 (which is 
assumed throughout this paper), we have the following derivation (where v y is 
the magnitude of the velocity in the y-direction, and v x is assumed to be 0): 



g - eft = dv y 



Vy^gt 



This shows that the velocity in the direction of the goal is just the force of the 
goal times the amount of time that has elapsed. We set up an experiment using 
this theoretical formula to determine the relative error for our experiments. The 
experiment placed 500 agents in the simulator and terminated in 100 time steps, 
since by this time the agents reach the maximum velocity that can be achieved 
on real robots. The parameter being varied is the goal force. The results are 
plotted in Fig. 5, and the relative error is roughly 1%. 


AP Goal-Velocity Relative Error 



KT Goal-Velocity Relative Error 



Fig. 5. Relative Error for Goal- Velocity (Prediction 1) 


For KT, a traditional one-sided Couette drives the bulk swarm movement. 
The complete derivation for the velocity profile of a Couette flow can be found 
in [9] (pages 417-420), but here we present a more concise version. 

For steady, 2D flow with no external forces, there is a classical “Governing 
Equation” that predicts the y-direction momentum of the fluid. This Governing 
Equation is: 
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where p is the fluid density, v x and v y are the x- and y - components of velocity, 
P is the fluid pressure, and r yy and r xy are the normal and shear stresses, 
respectively. We can use this equation for momentum to derive the velocity. 
However, first we need to specialize the equation for our particular situation. 
For Couette flow, the equation becomes: 
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where /x is the fluid viscosity. Assuming an incompressible, constant temperature 
flow with constant viscosity, this becomes: 
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Equation 2 is the Governing Equation for steady, 2D, incompressible, constant 
temperature Couette flow. Integrating twice with respect to x to find v y , we get: 

V y = C\X + C2 (3) 

We can solve for ci and C 2 from the boundary conditions. In particular, at 
the stationary Couette wall (x = 0), v y = 0, which implies that C 2 = 0 from 
Equation 3. At the moving wail (x = Z?), v y = v wa ii , where D is the Couette 
width and v wa u is the velocity of the moving wail, which is in the y-direction 
(toward the goal). Then c\ = v wa u/D from Equation 3. 

Substituting these values for Ci and C 2 back into Equation 3, we get: 

Vy _ jC 
V W a U -D 

This is a linear profile. 

We set up an experiment to measure the relative error generated by our 
simulation, with each particle behaving as if it were part of a one-sided Couette 
flow. Each experiment contained 3,000 particles, and ran for 50,000 time steps. 
When determining the error, we divided the world into seven discrete cells. For 
each cell, we determined the average velocity of the particles located in that cell. 
The relative error was averaged across all cells and plotted in Fig. 5 for eight 
different wall speeds. One can see that the error is below 20%, with a reduction 
in error for KT as the wall speed is increased- Note that the original algorithms 
from Garcia [10] also have error between theory and simulation that is slightly 
below 20%. Reasons for this discrepancy between theory and simulation are 
elaborated in the discussion section below. When determining the longitudinal 
coverage via swarm movement, we are able to predict very accurately for both 
algorithms in the simple scenario, except at slow wall speeds for KT. 


8.2 Experiment 2: Spatial Distribution 

For the second experiment, we predict the lateral coverage via the spatial distri- 
bution. For this experiment, there is neither a goal direction nor obstacles. The 
agents’ task is to diffuse throughout the system. The theory for each approach 
in gas formation predicts a uniform distribution throughout the system. For 
the experimental setup, we measured the distance from the uniform distribution 
once the gas reached an asymptotic state. Therefore, we divided our system into 
discrete cells and counted the number of particles in each cell. Theory predicts 
that the number of particles in each cell should be n/c, where n is the total 
number of particles and c is the total number of grid cells that cover our system. 

Our experimental system serves as a simple container to hold a gas. The 
gas should diffuse within the container until it reaches an asymptotic state and 
contains equal numbers of particles in each cell. We allowed the system several 
thousand time steps, starting from a tight Gaussian distribution about the center 
of the container, to reach this state and then measured the number of particles in 
each cell. This measurement was averaged over many time steps, since particles 
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Fig. 6. Relative Error for Uniform Distribution (Prediction 2) 


were still moving through the system and diffusion did not imply particles ceased 
to move. Both experiments were the same for AP and KT, and the results can 
be found in Fig. 6. In both cases, the parameter being varied is the number of 
particles. Once again, we are able to predict the spatial distribution with relative 
error less than 20%. 

There is a noticeable downward trend for the relative error in the AP system 
as more particles are added to the system. Recall that in AP we use forces to 
affect other particles as well as forces from the walls to keep the particles inside 
the simulation. This requires that particles have a desired radius such that when 
another particle enters this radius, it is repelled away. As more particles are 
added to the simulation, the space is filled with particles that are constantly 
pushing each other away and moving into the only formation that will allow 
them all to fit, which is a uniform distribution. 

8.3 Experiment 3: Average Speed 

For the third experiment, we predict the average speed of the particles in the 
system. The average speed of the particles serves as a measure of how well the 
system will be able to achieve complete coverage, because higher speed implies 
greater coverage. The derivation for AP’s prediction of average speed begins 
with a theoretical formula for AP system potential energy (PE) from [11]. This 
theory assumes that the particles start in a cluster of radius 0. There are two 
different situations, depending on the radial extent to which F ma x dominates 
the force law F = ma. Recall that agents use F max when F > F max . This 

occurs when 3 > F max or, equivalently, r < = R f . The first situation 

' y ”max 

is when F ma x is used only at close distances, i.e., when 0 < R' < 1.5 R. The 
second situation occurs when R' > 1.5 R. Here we assume the first situation, i.e., 
a low value of G is used such that G < F max (1.5f?) 2 , and F max is only used at 
close distances. Because we are using AP gas , there is no friction and all forces 
are repulsive. We begin with a two-particle system. In this case, the formula is 
the sum of two integrals. The first represents the force felt by one particle as it 
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approaches another, from a distance of 1 .5R to R'. The second is the force F max 
that is experienced when 0 < r < R'. Then, using R* as defined above, with r 
the inter- agent distance, we have (V is the standard symbol for PE): 

J pR* y»1.5 R /^f 

1 F max dr + / ~dr 

o JR' r 2 
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= F max B! + G / r~ 2 dr 
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= F ™* + G (-Tk + id 
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Now we generalize V to N particles. V s is our abbreviation for total potential 
energy, and 
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Note that all the potential energy transforms into kinetic energy (since there is 
no friction energy dissipation), i.e., Vs — ► KE. Also, the total kinetic energy, 
KE, is equal to | Y2iLi (viv) 2 * turning m=l and t;(i) is the speed of particle i. 
This formula for KE is equal to ~(t; 2 ), where ( v 2 ) is the average of the particle 
speeds squared. 

Setting Vs = KE, we get: 
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Substituting for V we get 
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From [12], we know that the relationship between (v) and (v 2 ) is the following: 


(v) = V (w 2 ) - cr 2 


where cr 2 is the variance of the velocity distribution. However, because the vari- 
ance of the velocity distribution is not typically available when making a the- 
oretical prediction, one approximation (which is an upper bound on the true 
theoretical formula because it assumes 0 variance) that we can use is: 


(v)*t/W) = a/(AT- 1) 
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Fig. 7. Relative Error for Average Speed (Prediction 3) 


Using this equation for AP, we ran through the experiments (starting with 
the particles in a tight cluster to match the theory), allowed the gas to reach an 
asymptotic state, and measured the relative error. For each experiment, there 
were 100 agents in the system. The total number of time steps required to reach 
this asymptotic state is different for each value of G since it requires that the 
agents are no longer interacting with each other. This terminating state can be 
found when all the agents have ceased to change their velocity. The parameter 
being varied is the gravitational force, G . As seen in Fig. 7, the error is less than 
6%. Furthermore, if the system designer has any clue as to what variance to 
expect in speeds, the theoretical prediction will be greatly improved. 

In addition to verifying the formula for ( v ), we also verified the predictive- 
ness of the formula above for ( v 2 ), which is precise because it does not involve 
variance. The relative error in this case is less than 0.07% for all values of 
which is extremely low. 

We next show how we derive a KT formula for average speed by modify- 
ing the derivation for 3D (u) in [10] to a 2D formula for ( v ) (so it applies to 
our simulation). Assuming a system in thermodynamic equilibrium (since there 
is no bulk transport), with velocity components within the ranges v x + dv x 
and v y -I- dv y , and./c is Boltzmann’s constant, m is the particle mass, v is the 
magnitude of the particle velocity (i.e., the particle speed), and T is the initial 
system temper ature (a simple, settable system parameter)*, then the probabil- 





ity, f(v x , Vy)dv x dv y , that a particle has velocity components in these ranges is 
proportional to e^~ mv ^ 2kT ^dv x dv y . In particular, we have: 

f(v x ,Vy)dv x dv y = Ae ^~ my2 /2fcT) dv x dv y = Ae^ mVx2 /2kT ^ e^ mVy2 /2kT ^ dv x dv y 

because v 2 = v x 2 -f v y 2 , and A is a normalization constant that is fixed by the 
requirement that the integral of the probability over all possible states must be 
equal to 1, i.e., 


Therefore, 



f£° e(~ mVx12 / 2kT ) dv x f£° e( mv v 2 / 2kT ) dv y 

To simplify the expression for ^4, we can use the fact (from pages 40-46 of [13]) 
that: 
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and then do likewise for v y . Therefore: 
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f(v x ,v y )dv x dv y = (^r) (e(- m ^ +v « 2)/2kT) )dv x dv y 
where ^ is A. 

Note, however, that /(u x , v y )dv x dv y is a probability for a velocity vector , but 
we want average speed. To get average speed, the math is easier if we go from 
Cartesian to polar coordinates. In particular, to go from velocity to speed, we 
integrate over all angles. 

In polar coordinates, 2nvdv is the area of extension (annulus) due to Av. In 
other words, the area of an annulus whose inner radius is v and outer radius is 
v + dv is 27 xvdv. Then the Maxwell-Boltzmann distribution of speeds, f(y)dv , is 
obtained by integrating the velocity distribution, f(v x ,v y )dv x dv y , over all angles 
from 0 to 27 r. This integration yields: 


f(v)dv = 2irv ( e( rnv2/2kT) )dv 

Canceling terms, the right-hand side becomes: 
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Because (v) is an expected value, 


(V) = l o °°vf(v)dv = ^ J~ v *(e(-™ 3 ' 2k ^)dv 



From [14] (page 609), we know that / 0 °° e ax ^x 2 dx = jy/na 2 . Substituting u 
for x and for a, we get: 

« “ (£)™ - 

Once again, we set up an experiment to measure the actual average speed of 
the particles in the system. We allowed the system to converge to an asymptotic 
state for 50,000 time steps measuring the average speed. For each of the 500 
particles in the system, we found the average speed, (u). This speed was used to 
find the relative error for the system. Since temperature drives changes in speed, 
we varied the temperature. Note that by setting T, a system designer can easily 
achieve desired behavior. The results can be found in Fig. 7 for the different 
temperatures. Our ability to predict the average speed of the particles is shown, 
by errors less than 10%. 

9 Theoretical Predictions: Discussion 

We are capable of predicting three different properties of the system, all of which 
affect coverage, with an accuracy of less than 20% error, and moist with error 
less than 10%. A 10% error is low for a theoretical prediction. 

By looking at the relative error graphs of both the AP and KT approaches, 
one notices that the AP error is always lower than that of KT (except in the 
case of (u), wfiiere the AP formula is a rough approximation). In fact, only 
KT gets 20% errors - AP errors are always substantially lower than 20%. Our 
rationale for AP having lower errors between theory and simulation is that AP 
uses a deterministic agent-positioning algorithm, whereas KT uses a stochastic 
algorithm for updating particle positions. Therefore, AP predictions are precise, 
whereas KT predictions are only approximate. Furthermore, as stated in [10], 
Monte Carlo simulations such as KT need very long runs and huge numbers of 
particles to acquire enough statistical data to produce accurate (theoretically 
predictable) results. We cannot guarantee this, since we are developing control 
algorithms for robotic swarms with a few to a few thousand robots. Therefore, 
our experiments show a higher error than desired for a Monte Carlo method but 
they are realistic for real-world swarms. 

In conclusion, there appears to be a tradeoff. AP systems are more predictable 
- both on the macroscopic swarm level and on the level of individual agents. 
Therefore, if swarm predictability is a higher priority, then AP is preferable. On 
the other hand, if it is important that individual agents not be predictable (e.g., 
to an enemy), then KT is preferable. 


10 Future Work 

The next step is to develop a theory for the full surveillance task. Once this 
theory is complete, experiments need to be run to test all approaches: AP, KT, 



and various AP /KT hybrids. We plan to run numerous experiments to measure 
coverage versus time and determine which of the algorithms outperforms the 
others. Once that is complete, the next step is to port these approaches to 
oux laboratory mobile robots. The solid AP approach has already been ported. 
Transitioning to AP gas will be straightforward. We will need to determine, using 
a more realistic robot simulator, how difficult (or easy) it will be to port KT to 
the actual robots. 
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Abstract. This paper summarizes a novel framework, called “physi- 
comimetics,” for the distributed control of large collections of mobile 
physical agents in sensor networks. The agents sense and react to virtual 
forces, which are motivated by natural physics laws. Thus, physicomimet- 
ics is founded upon solid scientific principles. Furthermore, this frame- 
work provides an effective basis for self-organization, fault-tolerance, and 
self-repair. Examples are shown of how this framework has been applied 
to construct regular geometric lattice configurations (distributed sensing 
grids). Analyses are provided that facilitate system understanding and 
predictability, including a quantitative analysis of potential energy that 
provides the capability of setting system parameters based on theoretical 
laws. Physicomimetics has been implemented both in simulation and on 
a team of seven mobile robots. 


1 Introduction 

The focus of our research is to build sensor network systems, specifically, to de- 
sign rapidly deployable, scalable, adaptive, cost-effective, and robust networks 
(i.e., swarms, or large arrays) of autonomous distributed mobile sensing agents 
(e.g., robots). This combines sensing, computation and networking with mobil- 
ity, thereby enabling deployment, assembly, reconfiguration, and disassembly of 
the multi- agent collective. Our objective is to provide a scientific, yet practical, 
approach to the design and analysis (behavioral assurance) of aggregate sensor 
systems. 

Agent vehicles could vary widely in type, as well as size, e.g., from nanobots 
to micro- air vehicles (MAVs) and micro-satellites. Agents are assumed to have 
sensors and effectors. An agent’s sensors perceive the world,, including other 
agents, and an agent’s effectors make changes to that agent and/or the world, 
including other agents. It is assumed that agents can only sense and affect nearby 
agents; thus, control rules must be “local.” Desired global behavior emerges from 
local agent interactions. 

This paper summarizes our physicomimetics framework for robot control. A 
theoretical analysis of potential energy is then provided, allowing us to properly 
set system parameters a priori. Finally, results of. a multi-robot implementation 
are presented. 
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2 Relation to Alternative Approaches 

System analysis enables both system design and behavioral assurance. Here, we 
adopt a physics-based approach to analysis. We consider this approach to fit 
under the category of “formal methods,” not in the traditional sense of the term 
but rather in the broader sense, i.e., a formal method is a mathematical tech- 
nique for designing and/or analyzing a system. The two main traditional formal 
methods used for this purpose are theorem proving and model checking. Why do 
we use a physics-based method instead of these more traditional methods? The 
gist of theorem proving (model checking) is to begin with a theorem (property) 
and prove (show) that it holds for the target system. But what if you don’t 
know how to express the theorem or property in the first place? For example, 
suppose you visually observe a system behavior that you want to control, but 
you have no idea what causes it or how to express your property in concrete, 
logic-based or system-based terms? In particular, there may be a property/law 
relating various system parameters that enables you to predict or control the 
observed phenomenon, but you do not understand the system well enough to 
write down this law. 

For such a situation, the traditional, logic-based formal methods are not 
directly applicable. One potentially applicable approach is empirical, e.g., ma- 
chine discovery. We have chosen a theoretical (formal) physics-based approach 
because: 

— Empirical techniques can tell you what happens, but not why it happens. 
Causal explanations are easier to understand, apply, build upon, and gener- 
alize. 

— Ifa physics-based analysis technique is predictive of a system built on physics- 
based principles, then this analysis provides formal verification of the cor- 
rectness of the system implementation. No such claims can be made for 
empirical results. 

— Finally , and most importantly , it is possible to go directly from theory to a 
successful robot demo, without the usual extensive parameter tweaking ! We 
have already demonstrated such successes with our theories [ 1 ] . 

3 The Physicomimetics Framework 

In our physicomimetics framework, virtual physics forces drive a multi-agent 
system to a desired configuration or state. The desired configuration (state) is 
the one that minimizes overall system potential energy. We also refer to our 
framework as “artificial physics” or “AP” . 

At an abstract level, physicomimetics treats agents as physical particles. This 
enables the framework to be embodied in vehicles ranging in size all the way 
from nanobots to satellites. Particles exist in two or three dimensions and are 
considered to be point-masses. Each particle i has position x = (x, y, z) and 
velocity v = (v x , v y ,v z ). We use a discrete- time approximation to the continuous 
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behavior of the particles, with time-step At. At each time step, the position of 
each particle undergoes a perturbation Ax. The perturbation depends on the 
current velocity, i.e., Ax = vAt. The velocity of each particle at each time step 
also changes by Av. The change in velocity is controlled by the force on the 
particle, i.e., Av = FAt/m , where m is the mass of that particle and F is 
the force on that particle. 1 A frictional force is included, for self-stabilization. 
This force is modeled as a viscous friction term, i.e., the product of a viscosity 
coefficient and the agent’s velocity (independently modeled in the same fashion 
by [2]). 

The time step At is proportional to the amount of time the robots take 
to perform their sensor readings. A parameter F m ax is added, which restricts 
the amount of acceleration a robot can achieve. A parameter V max restricts 
the velocity of the particles. Collisions are not modeled, because AP repulsive 
forces tend to avoid collisions. Also, we do not model the low-level dynamics of 
the actual robot. We consider AP to be an algorithm that will determine “way 
points” for the actual physical platforms. Lower-level software can steer between 
way points. 

Given a set of initial conditions and some desired global behavior, we define 
what sensors, effectors, and force F laws are required such that the desired 
behavior emerges. 


4 Designing Lattice Formations 

The example considered in this section was inspired by an application which 
required a swarm of MAVs to form a hexagonal lattice, thus creating an effective 
antenna [3]. 

Since MAVs (or other small agents such as nanobots) have simple sensors 
and primitive CPUs, our goal was to provide the simplest possible control rules 
requiring minimal sensors and effectors. Creating hexagons appears to be rather 
complicated, requiring sensors that can calculate range, the number of neighbors, 
their angles, etc, However, it turns out that only range and bearing information 
are required. To see this, recall that six circles of radius R can be drawn on the 
perimeter of a central circle of radius R . Figure 1 illustrates this construction. 
If the particles (shown as small circular spots) are deposited at the intersections 
of the circles, they form a hexagon with a particle in the middle. 

We see that hexagons can be created via overlapping circles of radius R. To 
map this into a force law, each particle repels other particles that are closer 
than j R, while attracting particles that are further than R in distance. Thus each 
particle can be considered to have a circular “potential well” around itself at 
radius R - neighboring particles will want to be at distance R from each other. 
The intersection of these wells is a form of constructive interference that creates 
“nodes” of very low potential energy where the particles will be likely to reside. 

1 F and v denote the magnitude of vectors F and v. 
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Fig. 1 . How circles can create hexagons. 


G - 1200 



Fig. 2. The force law, when R = 50, G = 1200, p — 2 and Fmax = 1. 


The particles serve to create the very potential energy surface to which they are 
responding! 2 * 

With this in mind we defined a force law F = Gmimjjr 9 , where F < F max 
is the magnitude of the force between two particles i and j, and r is the range 
between the two particles. The variable p represents a user-defined power, which 
can range from -5.0 to 5.0. When p ~ 0.0 the force law is constant for all ranges. 
Unless stated otherwise, we assume p = 2.0 and F max = 1 in this paper. The 
“gravitational constant” G is set at initialization. The force is repulsive if r < R 
and attractive if r > jR. Each particle has one sensor that can detect the range 
and bearing to nearby particles. The only effector is to be able to move with 
velocity v < Vmax- To ensure that the force laws are local, particles have a visual 
range of 1.5 jR. 

Figure 2 shows the magnitude of the force, when R = 50, G — 1200, p = 2, 
and Fmax = 1 (the system defaults). There are three discontinuities in the 
force law. The first occurs where the force law transitions from Fmax to F = 
Grriimj/r p . The second occurs when the force law switches from repulsive to 
attractive at R. The third, occurs when the feme goes to 0. 

The initial conditions are a tight cluster of robots, that propel outward (due 
to repulsive forces) until the desired geometric configuration is obtained. This is 

2 The potential energy surface is never actually computed by the robots. It is only 

computed in the simulation for visualization /analysis. 
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simulated by using a two dimensional Gaussian random variable to initialize the 
positions of all particles. Velocities of all particles are initialized to be 0.0, and 
masses are all 1.0 (although the framework does not require this). 

Using this force law, AP successfully forms hexagonal lattices, with a small 
number of agents or hundreds. Square lattices are also easily obtained [1,4]. For 
a radius R of 50, a gravitational constant of approximately G = 1200 provides 
good results. The issue of how to set G, given other system parameters, is the 
focus of the analysis in this paper. 



Fig. 3. Agents can form hexagonal and square lattices. 


5 Energy Analysis 

Because our force law is conservative (in the physics sense) , the AP system should 
obey conservation of energy - if it is implemented correctly. Furthermore, as we 
shall see, the initial potential energy of the system in the starting configuration 
yields important information concerning the dynamics of the system. 

First, we measured the potential energy (PE) of the system at every time 
step, using the path integral V = — J F • ds. 3 This can be thought of as the 
amount of work required to push each particle into position, one after another, 
for the current configuration of particles. Because the force is conservative, the 
order in which the particles are chosen is not relevant. Then we also measured 
the kinetic energy (KE) of the particles (mu 2 /2). Finally, since there is friction 
we also must take into account that energy as well, which we can consider to be 
heat energy. If there is no friction, the heat energy is zero. 

Figure 4 illustrates an example of the energy dynamics of the AP system. As 
expected, the total energy remains constant over time. The system starts with 
only PE. Note that the graph illustrates one of the foundational principles of 
the AP system, namely, that the system continually evolves to lower PE, until 
a minimum is reached. This reflects a form of stability of the final aggregate 

3 V is the traditional notation for potential energy. 
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Conservation of Energy 



Fig. 4. Conservation of energy, showing how the total energy remains constant, al- 
though the amount of different forms of energy change over time. 


system, requiring work to move the system away from desired configurations 
(thus increasing PE). 

As the system evolves, the PE is converted into KE and heat, and the particles 
exhibit maximum motion, which is not very large (see Figure 4). Finally, however, 
the particles slow, and only heat remains. Note also that PE is negative after 
a certain point. This illustrates stability of individual particles (as well as the 
collective) - it would require work to push individual particles out of these 
configurations. Hence this graph shows how the system would be resilient to 
moderate amounts of force acting to disrupt it, once stable configurations are 
achieved. 

We have found that the initial configuration PE indicates important proper- 
ties of the final evolved system, namely how well it evolves and the size of the 
formation. Intuitively, higher initial PE indicates that more work can be done 
by the system - and the creation of bigger formations requires more work. We 
have also observed that higher initial PE is correlated with better formations. 
Apparently there is more energy via momentum to push through local optima 
to global optima. 

For example, consider Figure 5, which shows the PE of the initial configura- 
tion of a 200 particle system (when p = 2), for different values of G. In the figure, 
G opt is the value of G at which the PE is maximized, and G max is the largest 
useful setting of G (i.e., above Gmax afi forces are equal to F max ). Interestingly, 
PE is maximized almost exactly at the range of values of G (around 1200 to 
1400) that we have found empirically to yield the best structures. 

We now compute a general expression for when PE is maximized. To find 
this expression for Gopt , we first need to calculate the potential energy, V. For 
simplicity, we begin by calculating the potential energy of a two particle system 
where the two particles axe very close to each other. 

It will be necessary to consider three different situations, depending on the 
radial extent to which Fmax dominates the force law F — G/r p . Recall that 
agents use F max when F > Fmax- This occurs when G/r p > F ma x or, equiv- 
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The Best Hexagonal System Configuration when p = 2 



Fig. 5. The amount of potential energy of the initial configuration of the system is 
maximized for the G value that empirically yields the best results, which is roughly 
1300. In this example p = 2. The arrows show the values of G op t and G mac c , respectively. 


alently, when r < (' G/F ma x ) ly ^ = F'. The first situation occurs when F max is 
used only when the other particle is at close range, i.e., when 0 < R r < R* The 
second situation occurs when R < R' < 1.5 JR. The third situation occurs when 
Fmax is always used, i.e., when R ' > 1.5 JR. In this situation the force law is 
constant (F max ) and V remains constant with increasing G. 

Let us now compute the PE for the first situation. It will be necessary to 
calculate three separate integrals for this situation. The first will represent the 
attractive force felt by one particle as it approaches the other, from a range of 
1.5 JR to R . The second is the repulsive force of F = G/r v when r < R and 
F < F max . The third represents the range where the repulsive force is simply 
F max . Then: 



Note that the first term is negative because it deals with attraction, whereas the 
latter two terms are positive due to repulsion. Solving and substituting for R f 
yields: 

(2 fl 1 -* - (1.5-R) 1 ~ P )G pG^P 

(1-P) (1 -p)F m ax (1 - p)/P 

The derivation of the second and third situations is similar (see Appendix 
for full derivations). The first situation occurs with low G, when G < F max R p . 
The second situation occurs with higher levels of G, when F rn axR p < G < 
F max (1.5R) p . The third situation occurs when G > F max { 1.5JR) P . In the third 
situation the PE of the system remains constant as G increases even further. 
Thus the maximum useful setting of G is G max = F max (1.5i?) p . We can see 
this in Figure 5 (which represent the full curves over all three situations), where 
Gmax == 5625. 
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We next generalize to N particles for V (denoted V}v). Note that we can 
build our N particle system one particle at a time, in any order (because forces 
axe conservative), resulting in an expression for the total initial PE: 


N- 1 . 


v N = Y^ iV = 

i—0 


VN{N - 1) 


with V defined above for the 2-particle system. 

Now that we have a general expression for the potential energy, Vjy, to find 
the expression for G op t we need to find the value of G that maximizes 
First, we need to detennine whether the maximum occurs in the first or second 
situation. It is easy to show that the slope of the PE equation for the second 
situation is strictly negative; thus the maximum must occur in the first situation. 
To find the maximum, we take the derivative of the for the first situation 
with respect to G , set it to zero, and solve for G. The resulting maximum is at: 

-l -pip/( 1 -p) 


G = F 

^ opt — ± rr, 


X R P { 2 - 1.5 1 


Note that the value of Gopt does not depend on the number of particles, which 
is a nice result. This simple formula is surprisingly predictive of the dynamics 
of a 200 particle system. For example, when F rnax = 1, R = 50, and p = 2, 
Gopt — 1406, which is only about 7% higher than the value shown in Figure 5. 
Similarly, when p = 3, G opt = 64,429, which is very close to observed values. 
The difference in values stems from the fact that in our simulation we have 
initial conditions specified by a two-dimensional Gaussian random variable with 
a small variance <x 2 , whereas our mathematical analysis assumes a variance of 
zero. Despite this difference, the equation for G op t works quite well. 

As described in [4], we have also had success in creating square lattices. 
Performing a similar potential energy analysis yields aG^t of: 


G opt u =F max BP 

Note that G^t actually depends on the number of particles IV, which is the 
first time we have seen such a dependency. It occurs because we use two “species” 
of particles to create square lattices, which have different sensor ranges. However, 
because this differenceTs not large, the dependency on N is also not large. For 
example, with 12 — 50 and F max -- 1, then when p = 2 and there are 200 total 
particles, Gopt = 1466. With only 20 particles Gopt — 1456. Similarly, when 
p = 3 we obtain values of Gop t = 67, 330 and Gopt = 66, 960 respectively (for 
200 and 20 particle systems). 


y/2 (JV - 1)(2 - 1.3 1-p ) + N(2 - 1.7 1-p ) 
V2 (N - 1 ) + N 


6 Experiments With a Team of Robots 

For our experiments, we used seven robots from the KISS Institute for Practi- 
cal Robotics. For detecting neighboring robots, Sharp GP2D12 IR sensors are 
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mounted, providing a 360 degree field of view, from, which object detection is 
performed. The output is a list that gives the bearing and range to all neighbor- 
ing robots. Once sensing and object detection are complete, the AP algorithm 
computes the virtual force felt by that robot. In response, the robot will turn 
and move to some position. This cycle of sensing, computation and motion con- 
tinues until we shut down the robots or they lose power. The AP code is simple 
to implement. It takes a robot neighbor list as input, and outputs a turn and 
distance to move. 

The goal of the first experiment was to form a hexagon with seven robots. 
Each robot ran the same software. The desired distance R between robots was 
23 inches. Using the theory we chose a G of 270 (p = 2 and Fmax = !)• The 
beginning configuration was random. The final configuration was a hexagon. The 
results are consistent, achieving the same formation ten times in a row with the 
same starting conditions and taking approximately seven cycles on average. For 
all runs the robots were separated by 20.5 to 26 inches in the final formation, 
which is only slightly more error than the sensor error. 

For our second experiment we placed four photo-diode light sensors on each 
robot, one per side. These produced an additional force vector, moving the robots 
towards a light source (a window). 4 The results are shown in Figure 6, and were 
consistent over ten runs, achieving an accuracy comparable to the formation 
experiment above. The robots moved about one foot in 13 cycles of the AP 
algorithm. 



Fig. 6. Seven robots get into formation, and move toward the light. 

4 The reflection of the window on the floor is not noticed by the robots and is not the 
light source. 
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7 Summary, Related and Future Work 

This paper presents a novel analysis of AP, focusing on potential energy. This 
analysis provides us with a predictive technique for setting important parameters 
in the system, thus enabling a system, user to create (with good assurance) large 
formations. This static analysis combines many important parameters of the 
system, such as G, R, p, F max , and sensor range. It also includes the geometry 
of the formations in a natural fashion. The parameter N was included as well, 
but it turns out to be of little relevance for our most important results. This is 
a nice feature, since our original motivation for the AP approach was that we 
wished it to scale easily to large numbers of agents. To include the other relevant 
dynamic parameters such as At , V max and friction will require a more dynamic 
analysis. 

The work that is most related consists of other theoretical analyses of swarm 
systems. Our comparisons are in terms of the goal and method of analysis. There 
are generally two goals: stability and convergence/ correctness. Under stability 
is the work by [5-7]. Convergence/correctness work includes [5]. Other goals 
of theoretical analyses include time complexity [8], synthesis [9], prediction of 
movement cohesion [5], coalition size [6], number of instigators to switch strate- 
gies [10], and collision frequency [11]. 

Methods of analysis are also diverse. Here we focus only on physics-based 
analyses of physics-based swarm robotics systems. We know of four methods. 
The first is the Lyapunov analysis by [7]. The second is the kinetic gas theory 
by [11]. The third is the minimum energy analysis by [9]. The fourth develops 
macro-level equations describing flocking as a fluid-like movement [12]. 

The capability of being able to set system parameters based on theoretical laws 
has enormous practical value. To the best of our knowledge, the only analyses 
mentioned above that can be used to set system parameters are those of [6,10,12]. 
The first two analyses are of behavior-based systems, while the latter is of a 
“velocity matching” particle system. 

In the long run, we’d like to design and analyze virtual worlds based on AP. 
The theoretical results being developed here would formalize the multi-robot 
motions in such a virtual world, which would then influence the coordination of 
actual robots. 
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Appendix: Derivation of Potential Energy Analysis 

Hexagonal Formations 

In this appendix axe details for computing the general expression for PE, and 
where it is maximized. For simplicity, we begin by calculating the potential 
energy of a two particle system where the two particles are very close to each 
other. 

It will be necessary to consider three different situations, depending on the 
radial extent to which jF max dominates the force law F = G/r p . Recall that 
agents use F max when F > F ma x * This occurs when G/r p > F max or, equiv- 
alently, when r < (C?/F max ) 1>/p = F! . The first situation occurs when F ma x is 
used only when the other particle is at close range, i.e., when 0 < R ( < R. The 
second situation occurs when R < R r < 1.5 R. The third situation occurs when 
Fmax is always used, i.e., when R f > 1.5 R. In this situation the force law is 
constant (F max ) and V remains constant with increasing G. 


First Situation: Let us now compute the PE for the first situation. It will be 
necessary to calculate three separate integrals for this situation. The first will 
represent the attractive force felt by one particle as it approaches the other, 
from a range of 1.5 R to R: The second is the repulsive force of F = G/r p when 


r < R and F < F max . The third represents the range where the repulsive force 
is simply F ma x- 5 Then: 

/* 1 . 5 R rR q rR' 

V = — I — dr - f / — dr F / F max dr 

Jr rP J R , rP J 0 

Note that the first term is negative because it deals with attraction, whereas the 
latter two terms are positive due to repulsion. Then: 


F = 


Gr 1 -* 


(1 -P) 


1.5jR 


F 


Gr 1 -? 


(1 ~p) 


m \ R ' 

F -T maxHo 


R ' 


Expanding yields: 

G(1.5H) 1 ~ p GR GR}~p G(fl') 1-P 


V = — 


+ 


(1-p) ' (1-p) + (1-P) (1-P) 

Substituting for R f yields: 


V = 


2R 1 ~ P - (1.5 Rf- p - 

\ " max / 


(i-p) 

Finally, simplification yields: 

(2R 1 ~ p - (1.5JR) 1 ~ P )G 


+ F max R 


G V 


y = 


pG 1 '* 


(1-P) 


(l-p)F mai (1 - p)/p 


( 1 ) 


Second Situation: The derivation of the second and third situations is similar. 
For the second situation: 

f R 

r Frnn-r dr 


aR 



/*1.5 R 

r- R' 



i 

45 

si 

i 

ii 

/ Fmax dr 

F 


Jr- ^ 

Jr 


Then: 

Gr 1_p ,J “ 

— . 1 R ' 



V — — 

(1-P) R' 

F max r \R 

F 


Expanding yields: 

* G^i.bR) 1 p G(R') p p, o' i f r> . p p 

V = ; r F — TZ \ — R max ft * “ max ft a~ "max ft 

(1-p) (1-P) 

Substituting for R' and simplifying yields: 

G 


V = 


(1-P) 


(ir-) ’ - ( L5 *) 1_P 

\-Tmax J 



( G \r 

F Fmax 

2R ~(f 


\-Fmax / 


( 2 ) 


* Throughout our theoretical results we assume that Pr 1-0, which is reasonable since 
we typically do not run AP with that setting. 
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Third Situation: For the third situation: 

ri.5R 


V 


-r 

Jr 


F max dv 4* / Fmax dv 


J 


Then: 


v = -F max r\^ R + F max r 


V — F m ax( l*5i?) T F max R T FmaxF 


V = 


FmaxF 


( 3 ) 


Generalization to N Particles: We next generalize to N particles for V 
(denoted V/v). Note that we can build our N particle system one particle at a 
time, in any order (because forces are conservative), resulting in an expression 
for the total initial PE: 


N - 1 

v N = T = 

i=0 


VN(N - 1) 
2 


with V defined above for the 2-particle system. 


Optimum Value for G: Now that we have a general expression for the po- 
tential energy, Vjy, we need to find the value of G that maximizes V^. First, we 
need to determine whether the maximum occurs in the first or second situation. 
It is trivial to show that the slope of the PE equation for the second situation 
is strictly negative; thus the maximum must occur in the first situation. To find 
the maximum, we take the derivative of Vn for the first situation with respect 
to G, set it to zero, and solve for G . The constant N(N — l)/2 does not effect 
this computation: 


dVff (2^-p - (1.5fl) 1 ~ >> ) G(i-p)/p 

dG ~ (1 -p) (1 - p)F max (1 ~ p)/p ~ 

Hence: 

(2Jt 1 ~ p - (1.5J?) 1 ~ P ) GG-ri/P 

(1 ~P) ~(1 -p)F m J l ~ p V p 

Solving for G yields: 

G opt A = G = F max R p [ 2 - 1.5 1 ~ p ] p/(1_r>) (4) 

Note that the value of G opt does hot depend on the number of particles. 


I 
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Square Formations 

As described in [4], we have also had success in creating square lattices. The 
success of the hexagonal lattice hinged upon the fact that nearest neighbors are 
R in distance. This is not true for squares, since if the distance between particles 
along an edge is R , the distance along the diagonal is >/2R. Particles have no 
way of knowing whether their relationship to neighbors is along an edge or along 
a diagonal. 

Suppose each particle is given another attribute, called “spin”. Half of the 
particles are initialized to be spin “up” , whereas the other half are spin “down” . 


o • 

Fig. 7. Square lattices can be formed by using particles of two “spins”. Unlike spins 
are R apart while like spins are y/2 R apart. 


Consider the square depicted in Figure 7. Particles that are spin-up are open 
circles, while particles that are spin-down are filled circles. Particles of unlike 
spin are distance R from each other, whereas particles of like spin are distance 
\/2 R from each other. This “coloring” of particles extends to square lattices, with 
alternating spins along the edges of squares, and same spins along the diagonals. 
We use the same force law as before: F — Grriimj/r p . However, r is renormalized 
to r/y/2 if two particles have the same spin. Once again the force is repulsive if 
r < R and attractive if r > R. To ensure that the force law is local, particles 
cannot see other particles that are further than cR, where c = 1.3 if particles 
have like spin and 1.7 otherwise. 

A similar potential energy analysis can be performed if one views the pro- 
cess as occurring in three stages: (1) compute the PE of clustering N spin-up 
particles together, (2) compute the PE of clustering N spin-down particles, and 
(3) compute the PE of combining both clusters. 

Again, as with the hexagon formations, three situations can arise. Since the 
maximum PE again occurs with the first situation, we focus only on this situation 
for the remainder of the analysis. 


First Situation for Spin-Up Particles: First, compute the PE of the initial 
configuration of two spin-up particles. When particles of like spin interact, r is 
renormalized by \/2, and their sensor range is 1.317. Thus: 


rl.3v/2R 


rV2R 


Jv2R (r/V2) P ^ + J^2R> (r/V2) P + Jo 


r V2R' 


rp 

■F max Ui 


V = ~(V2) P 


Gt 1 ~ v 


(1 ~P) 


Gr l ~ p 


1.3^2 R 

+ ( ^ )P n ^ 

V2R (1-P) 


V2 R 


yj2R' 


„ , V2R? 

& max^lo 


Then: 
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Expanding yields: 


(i-p) (1 -p) 


i-p 


- (V2) 


v G(V2R'f P 


(1 ~P) 

Substituting for R f and simplification yields: 
’(2E 1 ~P-(1.3il) 1_p )G 


+ ■PmaxV / 2■K , 


V=y/2 


pG l / p 


(1 -P) 


(1 -p)F ma J 1 - p)/p 


Generalization to N particles: The computation for V is very similar to 
that for the hexagonal lattice, differing only by a constant factor of \/2 and the 
sensor range. We now generalize to N spin-up particles: 




VN(N - 1) 


Aggregating all Particles: The computation for spin-down particles is iden- 
tical. We now combine the two clusters of N spin-up and N spin-down particles: 


1.7H 


GN 2 

T v 


r*GN 2 , f R ' 
dr + / dr + I . 

Jr> rP Jo 


GN 2 r l ~ p 


(i-p) 


1.7 R 


Gi\rV" p 


Vi v+n = Vn + Vn - f 
Jr 

Then: 

V n + n =V(N-1)N - 
Expanding yields: 

w - V(N-1)N-^ R ¥ + *?N 2 * 1 -’ 


F max N 2 dr 


(1 -P) 


4- F max N 2 r 


R' 


(1-p) ' (1 - p) 

Simplifying and substituting for R' yields: 

"(2JJ 1-P — (1.7R) 1 ~ P )G 


(1 -P) 


+F max N 2 R' 


V N+N =V(N-l)N + N 2 


pG l/p 


(1-P) 


(1 P)F max (1_ P)/P 


To determine the value of G for which PE is maximized, we take the derivative 
of Vn+n with respect to G, set it to zero, and solve for G: 


<1Vn+n 

dG 


= (N-1)NV2 


(2R 1 ~ P - (1.3J?) 1-P ) 




N 2 


(1-p) 

(2 R}~ p - (1.7jR) 1-p ) 

(1-p) ~ (l-p)F ma x (1 “ p)/p 


(l-p)i p max (1 “ P)/P 
Q{l-p)/p 


= 0 
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Hence: 


(N-l)NV2 




q{i-p)/p 


(1 -p) 

(2i?i-p _ (1.7J2) 1_P ) 
(1-P) 

Solving for G and simplifying yields: 


-N 2 


(1 ~P)Fm 

Q{l~p)/p 


(1 -p)/p 


(1 -p)F m ax (1 - p)/p j 


Gopt =G = F max R p 


' V2(N - 1)(2 - l.S 1 -*) + N ( 2 - l.? 1 -* ) 
y/2(N-l) + N 


1P/(1~P) 


( 5 ) 


Note that in this case Gop t depends on the number of particles N. It occurs 
because of the weighted average of different inter-species and intra-species sensor 
ranges. However, because this difference is not large, the dependency on N is 
also not large (and approaches zero as N increases to infinity). 
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Abstract. This paper presents a rigorous evaluation of a novel, dis- 
tributed chemical plume tracing algorithm. The algorithm is a combi- 
nation of the best aspects of the two most popular predecessors for this 
task. Furthermore, it is based on solid, formal principles from the field of 
fluid mechanics. The algorithm is applied by a network of mobile sensing 
agents (e.g., robots or micro-air vehicles) that sense the ambient fluid 
velocity and chemical concentration, and calculate derivatives. The algo- 
rithm drives the robotic network to the source of the toxic plume, where 
measures can be taken to disable the source emitter. This work is part of 
a much larger effort in research and development of a physics-based ap- 
proach to developing networks of mobile sensing agents for monitoring, 
tracking, reporting and responding to hazardous conditions. 


1 Introduction 

The objective of this research is the development of an effective, efficient, and 
robust distributed search algorithm for a team of robots that must locate an 
emitter that is releasing a toxic chemical gas. The basis for this algorithm is a 
physics-based framework for distributed multi-agent control [1]. This framework, 
called physicomimetics or artificial physics (AP), assumes several to hundreds of 
simple, inexpensive mobile robotic agents with limited processing power and a 
small set of on-board sensors. Using AP, the agents will configure into geometric 
lattice formations that are preserved as the robots navigate around obstacles to 
a source location [2]. 

In this paper, we present a novel algorithm for chemical plume tracing (CPT) 
that is built upon the AP framework. The CPT task consists of finding the 
chemical, tracking the chemical to its source emitter and, finally, identifying the 
emitter. Here, we focus on the latter two subtasks. Our CPT algorithm combines 
the strengths of the two most popular chemical plume tracing techniques in use 
today. Furthermore, it is founded upon solid theoretical (formal) principles of 
fluid dynamics, which will make further analysis and improvement possible. Our 
algorithm assumes an AP-maintained lattice which acts as a distributed com- 
putational fluid dynamics (CFD) grid for calculating derivatives of flow- field 
variable s, such as fluid velocity and chemical concentration. This paper consists 



of a formal study of the effectiveness of out novel algorithm, including compar- 
isons with the two most popular alternatives on which it is built. To supplement 
the discussion of the underlying theory, we include results from software simula- 
tions that implement the theoretical scenarios we present, and include realistic 
elements of measurement discretization. 

2 Motivation 

The authors’ goal is to design a search algorithm that scales well to a large 
number of robots, ranging perhaps from ten agents to a thousand and beyond. 
In order to achieve this goal, two things are necessary: a formal theory upon 
which the. algorithm is based, and a suitable task that can be used to test the 
algorithm. The task of chemical plume tracing has posed problems for a number 
of years in a variety of manufacturing and military applications. In light of 
the current national concern with security and the possibility of a chemical 
terrorist attack, several private and government agencies have expressed interest 
in updating current techniques used to track hazardous plumes, and improving 
the search strategies used to locate the toxin emitter [3-6]. 

Because the physicomimetics framework relies on application of virtual forces 
to construct and maintain the robotic lattice, physics is the natural choice for 
the theoretical foundation of our work. In particular, the well-studied field of 
fluid physics and mechanics is well-suited for the development and validation of 
our algorithms. 

There is another advantage of using a physics-based foundation. Computa- 
tional fluid mechanics requires computational meshes for sampling and process- 
ing of flow-field variable values. The lattice arrangements that emerge naturally 
from the physicomimetics framework can be used as computational meshes, thus 
forming a massively parallel system, capable of performing complex computa- 
tions in real time, with the added benefit of resilience to failure, and ability to 
adjust when the environment characteristics change. The natural synergy be- 
tween the different system components translates directly into an improved per- 
formance of the system. For instance, the construction of hexagonal formations 
requires the least amount of communication and sensor information within the 
agent control framework [7]; at the same time, a hexagonal lattice was shown [8] 
to have superior boundary characteristics for solving an important class of fluid 
mechanics problems. 

3 Related Work 

Current research in the field has been inspired by biological olfactory systems of 
lobsters and moths [9-12]. The base requirement for any system that attempts 
to trace a chemical plume is of course the ability to sense the presence of the 
chemical agent, as well as its concentration. The best understood and most 
widely applied approach is that of chemotaxis , which consists of following a 
local gradient of the chemical concentration within a plume [13,14,11]. While 



chemotaxis is very simple to perform, it frequently leads to locations of high 
concentration in the plume that are not the source, such as a corner of a room. 
Furthermore, we have a proof, which we omit here due to space limitations, that 
a chemotaxis search strategy is likely to fail near the emitter’s location, due 
to the fact that for a typical time-varying Gaussian plume density profile, the 
gradient goes to zero near the distribution’s peak. 

To overcome this problem, another common approach, called anemotaxis , has 
been developed. An anemotaxis- driven agent measures the direction of the fluid’s 
velocity and navigates “upstream” within the plume [15, 14]. Such a strategy is 
successful in problems where the flow has no large-scale turbulence. In general, 
we do not have the luxury of assuming this type of airflow. On the contrary, the 
airflow could have large turbulent eddies that curl and circulate, thus creating 
a region where traveling upwind will result in a cycle, causing the anemotaxis 
technique to fail. 

Early results from applying the solution of fluid dynamic problems to robotic 
systems are reported by Keymeulen and Decuyper [16-18]. In this work, a highly 
simplified model of fluid flow was used successfully in simulation to navigate 
a single robot in a semi- dynamic environment; the approach was inspired by 
the fact that fluid flow is a good model of the iterative, local- to- global route 
finding task optimization, since the local pressure fields that are responsible 
for the existence of the stable optimal path are void of local minima. In the 
development of their approach, Keymeulen and Decuyper relied on the concepts 
of a fluid source and sink , which they used to specify the robot’s initial and goal 
locations. In the present work, we also base our method’s development on these 
two concepts, and extensively utilize both mathematical and physical properties 
of these two entities in the verification of our algorithm. 

Work by Balkovsky and Shraiman [19] on the subject of statistical analysis 
of the plume is also relevant. They develop a probability density function having 
a Gaussian form, and use it to develop a simplified model of the chemical plume, 
which is then traversed using an algorithm that takes the probability of the 
source’s location into account. In the development of their algorithm, several 
assumptions were made regarding the type of the flow that the agent is expected 
to search. In our work we do not assume a particular flow-field, but rather 
establish several general categories of fluid flow and prove mathematically that 
our algorithm performs well in these broad and important categories. 

Research by Parunak and Brueckner [11] makes a case for analysis of the self- 
organization property in multi-agent systems from the standpoint of entropy and 
the Second Law of Thermodynamics. They develop an analogy between entropy 
in the context of a system’s energetic quality and informational disorder, and 
show how understanding and management of system entropy can be used to 
analyze a multi-agent system. They illustrate the idea by solving an agent coor- 
dination problem with the use of simulated randomly-diffusing pheromones. Our 
work complements their thermodynamic approach by looking at the conserva- 
tion properties of’matter, and improves it by providing a more realistic model 
of information flow within a system. 



A promising approach to tracking and localizing a target with soft real-time 
constraints is discussed in H or ling, et. aL [20]. The major contribution of their 
work is a radar network capable of operating under real-world conditions with 
realistic restrictions of noisy co mmuni cation channels, limited sensory capabili- 
ties, and restricted computational power. The system however, only allows for 
fixed sensors and makes use of partially centralized sector and target manager 
agents, introducing local points of failure. In our approach, decisions are made 
in a folly decentralized manner, improving robustness of the entire system. In 
addition, our framework places no restriction on mobility of either the plume or 
the tracking agents. 

Also of interest is the work of Polycarpou et al. [21], where the notion of 
artificial potential fields is used to find the goal object (an attractor) while 
avoiding obstacles (repellents). In order to apply potential fields, they create a 
map of the environment and the agents then are able to compute virtual forces 
based on the knowledge of the environment. However, such global maps are 
costly to build and mapping errors are a significant problem. The strategy we 
are proposing does not require environment mapping, and works well with the 
local information obtained in a highly distributed manner by the agents. 

4 Computational Fluid Dynamics 

Our approach makes use of the methods and concepts developed in the con- 
text of computational fluid dynamics (CFD), so a brief review of the relevant 
material will be useful. Flow of fluids is governed by three fundamental laws: 
the conservation of mass, conservation of momentum (Newton’s Second Law), 
and the conservation of energy [22,23]. There is also an equation that captures 
turbulent effects [24], but for simplicity we omit it here. Collectively, these equa- 
tions are known as the Governing Equations. Equations that describe theoretical 
inviscid flows are also known as the Euler equations, while the more complex 
real viscous flows are described by the Navi er- Stokes equations. These equations 
come in several forms, but we will focus on the conservation form, which is based 
on the time analysis of a differential volume spatially fixed in the flow field [23]. 
For instance, the simplest equation, the conservation of mass, is written as 

-|-V.<pV) (!) 

Here, p denotes the mass density of the chemical, V is the fluid’s velocity (col- 
lectively, p and V are known as the flow- field variables ), and t denotes time. 
For any read, flow of practical interest, an analytical solution of the Govern- 
ing Equations is impossible to obtain, due to the inherent non-linearity of the 
fluid dynamic systems. Thus, one CFD approach replaces the continuous partial 
derivatives with the corresponding discretized finite-difference approximations, 
and computes the unknown flow-field variables using a computational grid which 
spans the region of interest. Our algorithm takes advantage of the lattice forma- 
tions formed by our robotic agents to simulate the computational grid, thereby 



allowing the agents to perforin a sophisticated analysis of the flow and make 
navigational decisions based on this analysis. 

Other discretization methods, of which finite-volume and finite- element are 
best known, are also applicable to the AP-driven robotic lattices. However, in 
this paper, we only make use of the finite- difference discretization method be- 
cause of its simple derivation from the Taylor-series expansion of partial deriva- 
tives [22] . For brevity and greater focus, we also ignore the interesting problem 
of boundary conditions, and focus on a theoretically limitless domain. Since we 
are interested in the problem of emitter localization, this simplification does not 
have a significant impact on the solution, as long as the region in which plume 
tracing is performed does not have walls nor obstacles. This limitation will be 
addressed in the later stages of our research. 

The work presented in the following sections deals with the development of 
our physics-based solution to the chemical plume tracing task. It assumes a lat- 
tice of mobile agents with a limited, local view of the plume. The early theoretical 
results have been verified in simulation, and more complex flow configurations 
are currently being investigated. 


5 Our Fluxotaxis Algorithm 


The RHS of (1) represents the divergence of mass flux within the differential 
volume. Divergence plays a key role in the proposed algorithm; it is therefore 
helpful to briefly review the basics. Divergence is a convenient way to quantify 
the change of a vector field in space. Although our approaches applicable to 
3D geometries, for greater simplicity, we express the mass flux divergence in 2D 
Cartesian coordinates as 


dp du dp dv 

u te +p di +v d^ + % 

(2) 

V — ui - b vj 

(3) 


where 


and i and j are unit vectors in the x and y coordinate directions, respectively. 
If at some spatial point location P, V * ( pV ) > 0, then it is said that point 
P is a source of pV , while V ■ ( pV ) < 0 indicates a sink of pV. It helps to 
point out that the product pV is called the mass flux [23], and represents the 
time rate of change of mass flow per unit area; dimensional analysis shows that 
pV is simply mass/ (area - time). The role of this quantity in the CPT task can 
be better understood with the aid of the Divergence Theorem [25] from vector 
calculus: 

r r 

(4) 


/ V • (pV)dW = <£ (pV) • d S 
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This equation, where W is the control volume and S is the bounding surface of 
the volume, allows us to formally define the intuitive notion that a control volume 
containing a source (e.g., emitter) will have a positive mass flux divergence, while 



a control volume containing a sink will have a negative mass flux divergence. 
This result serves as our basic criterion for theoretically identifying a chemical 
emitter. To the best of our knowledge, previous criteria for emitter identification 
are purely heuristic, e.g., [14]. Our method is the first with a solid theoretical 
basis. 

Furthermore, this result is also the basis of our novel plume tracing algorithm, 
which we call fluxotaxis . With fluxotaxis, the robotic lattice will compute the 
local divergence of mass flux, and will follow its gradient (the direction of steepest 
increase). Mathematically, the gradient being followed is: 

^ dp du dp dv. /rN 

V(V-,V) = V(» s +^ + «gj+^) (5) 

Each individual robot independently calculates this flux gradient (5) . Due to the 
virtual cohesive forces holding the lattice together, the whole lattice will move in 
the flux gradient direction determined by the majority (with no explicit voting). 

From (2) it is clear that the fluxotaxis algorithm combines information about 
both velocity and chemical density, and the fact that it also encapsulates the 
notion of mass flux, as demonstrated in (4), provides assurance that we will 
find the emitter as opposed to a local density maximum. The following section 
presents several formal proofs in support of this statement. 


6 Fluxotaxis Theory 

Our ultimate objective is to invent a foolproof mathematical formula that the 
robotic lattice can use to guide it to a chemical source. To date, the fluxotaxis 
formula is our best candidate, although it is not foolproof. With our objective 
in mind, we are currently beginning an in-depth study of the strengths and 
weaknesses of the fluxotaxis technique. Through such an analysis, we anticipate 
discovering a variant of the fluxotaxis method that will satisfy our objective. 

In this section, we prove a sequence of lemmas that begin to elucidate the 
strengths of the fluxotaxis strategy as a local guide to the location of the chemical 
emitter. In subsequent papers, we will also explore and rectify its weaknesses. 
Here, we present initial versions of lemmas that have restrictive (albeit realistic) 
assumptions; future versions wall relax these assumptions. We limit ourselves to 
lemmas because the final theorem is the complete navigation strategy that we 
intend to develop. Each of the following lemmas looks at a realistic scenario and 
demonstrates the performance of a fluxotaxis- managed, ID robotic swarm. 

All of these lemmas assume a local coordinate system shared by all of the 
robots in the robotic lattice Such a shared coordinate system is achievable via 
local communication accompanied by coordinate transformations [2,26]. The 
lemmas in this section assume a single coordinate axis for simplicity; generaliza- 
tion to 2D is expected to be straightforward, due to symmetries, and has already 
been verified in software simulations. 




6.1 Fluxotaxis in Constant Velocity 

Constant Velocity Lemma 1. Assume that the following conditions hold: 

1. Chemical plume has a general Gaussian distribution p(x) = Ke"^ _c ^ , cen- 
tered at x = c. 

2. Lattice position x 0 is such that xl < x o < xr, where Xl^xr are solutions to 
d 2 p(x)fdx 2 = 0 (see Fig. 1); this implies that d 2 p(x)/dx 2 < 0 in the region 
of interest. 

3. V is constant in magnitude throughout the flow, except right at the emitter 
(x = c), and is an outward radial vector. 



Fig. 1. The Gaussian chemical density distribution and the radial outflow velocity 
profile used in the Constant Velocity Lemma 1. The shaded area indicates the region 
where plume tracing is carried out by the fluxotaxis agents, and the arrow at x — c 
marks the location of the chemical emitter 


W.l.o.g., assume the existence of P emt and Pfar such that P em t is closer to the 
emitter than Pf ar . Then execution of one step of the fluxotaxis algorithm implies 
that the agent lattice moves closer to the emitter, or equivalently 
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Proof. The problem is symmetric with respect to the emitter’s location (x = c); 
thus it is sufficient to prove the case where xl < Pfar < Pemt < c. Because V is 
constant, du/dx = 0, and (6) simplifies to 
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Since u is a negative constant, the inequality can be simplified to 
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Grouping like terms gives 



This is true because, by assumption 2, 
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Chemical Density (the highest density is in the middle, right at the emitter): 



Fluid Velocity (uniform radial split at the emitter): 


Lattice-Computed Divergence of Mass Flux (the maximum is near the emitter): 



Two-Sided Lattice Trace (agents move inward, toward the emitter): 

□ □ B □ B B aQ B O BB □ 

\ ► < I 

Fig. 2. Simulation results for the Constant Velocity Lemma 1. Individual agents are 
shown as black boxes with the white x in the middle, and the time trace of the two 
independent agent lattices is shown with boxed numbers indicating the location of the 
lattice at a given time step. The Lemma holds for any initial lattice configuration, and 
fluxotaxis successfully locates the chemical emitter 


Results of a software simulation for this lemma are shown in Fig. 2. In the 
figure, light-colored areas denote large values, and dark-colored areas correspond 
to small values. The location of the chemical emitter is marked by the triangle 
symbol. The initial positions of two separate agent lattices are at the outer edges 
of the environment, to the left and right of the emitter. During execution of the 
fluxotaxis algorithm, each agent (shown as a black box with a white x in the 
middle) computes the divergence of the mass flux using (2), with the partial 
derivatives replaced by the second-order accurate central difference approxima- 
tion [27]. This value is recorded by the simulator for analysis purposes, and is 
displayed along with the final agent positions in the screen shot. Observe that 
the resulting divergence “landscape” has a global peak which coincides with the 
location of the emitter, and does not have any local maxima that could trap or 


mislead the agents. There is a small gap in the computed divergence plot near 
the emitter because the agents had terminated their search upon reaching the 
emitter. Each simulated agent (the black box) corresponds to one of the ref- 
erence points (P e mt Pfar) in the Lemma’s proof and, just as in the Lemma, 
there are two agents per lattice. In this simulation, both agent lattices correctly 
moved toward the emitter in the center. In the proof of the Constant Velocity 
Lemma 1, we only considered the case where the lattice was to the left of the 
emitter; however, a similar proof can be given for the symmetric case, where the 
lattice starts out on the right side of the emitter, and the simulation in Fig. 2 
demonstrates that the algorithm works regardless of the initial position of the 
agent lattice with respect to the chemical source. 

6.2 Fluxotaxis at Source and Sink 

Divergence Lemma 1. Fluxotaxis technique will advance the agent lattice to- 
ward a chemical source. 


P far Pemt xiy 

v 

(b) Case II 

Fig. 3. Agent lattice coordinate axis orientation and the chemical source location in 
the Divergence Lemma 1 
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Proof . As before, assume a general Gaussian chemical plume distribution. W.l.o.g., 
assume the existence of two points P emt and Pf ar , such that P em t is closer to the 
source than Pfar (see Fig. 3). Two cases result, based on the orientation of the 
lattice coordinate axis. (V is at the bottom of Fig. 3, below the axis.) 


Case I assumes that the direction of the lattice coordinate axis is opposite to 
the direction of the fluid flow, and thus 


1. d 2 u/dx 2 > 0 

2. du/dx > 0; thus 0 > u emt > Uf aT 

3. d 2 p/dx 2 < 0 

4. dp/ dx > 0 and therefore p emt > pf ar 

We need to prove that the agent will move toward the source, or 


Assumptions 1 and 
du 
dx 

Together with assumptions 2, 4, and algebraic rules, Case I holds. 
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Case II is with the lattice coordinate axis in the same direction as the fluid 
flow, so that both u emt and Uf ^ are non-negative (see Fig. 3), and the previous 
assumptions become 

1. d 2 u/dx 2 < 0 

2. du/dx > 0; thus 0 < u e mt < Ufar 

3. d 2 p/dx 2 < 0 

4. dp/dx < 0 and therefore p e mt > pfar 

The agent will turn around and move toward the source if (7) holds. From 
assumption 1 we conclude 

du 
dx 

Similarly, assumption 3 yields 

‘dp 
dx _ 

Algebraic apphcation of the remaining assumptions shows that (7) holds. □ 
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Chemical Density (the highest density is in the middle, right at the emitter): 



Fluid Velocity (radial flow speeds up away from the emitter): 


Lattice-Computed Divergence of Mass Flux (the maximum is near the emitter): 



Two-Sided Lattice Trace (agents move inward, toward the emitter): 
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Fig. 4. Simulation of a fluxot axis-driven lattice (represented by black boxes) in the 
virinity of a chemical source from the Divergence Lemma 1. The time trace, denoted 
by the numbered boxes, shows the location of each of the two different agent lattices 
at sequential time steps in the simulation. Both lattices correctly converge on the true 
location of the chemical emitter 


Software simulation of this Lemma's configuration for both cases is shown 
in Fig. 4. As before, the fluxot axis- driven lattice (represented by black boxes 
marked with the white x symbol) begins at the outer edges of the simulated 
world, and moves in toward the emitter, denoted by the triangle in the center. 
The direction of motion is determined by the gradient of the divergence of the 
mass flux, which is computed locally by each agent using a central difference 
approximation of the partial derivatives in (2), and as can been seen from the 
divergence plot, has the maximum value near the emitter’s location. Similar to 
the previous simulation, the divergence value right at the emitter is not computed 
by the lattice, since the search terminates as soon as the emitter is found. Two 
fluxot axis lattices are shown in the screen shot, and as expected, both of them 
successfully navigate toward the chemical source. As this figure illustrates, the 
initial position of a lattice with respect to the emitter does not impede the 
agents’ ability to correctly localize the emitter. 

Divergence Lemma 2. Fluxotaxis-controlled agents will move away from a 
chemical sink (see Fig. 5). 





(a) Case I (b) Case II 

Fig. 5. Location of the chemical sink and the two possible agent coordinate axis ori- 
entations in the Divergence Lemma 2 


Proof. As before, assume a general Gaussian chemical plume distribution. W.l.o.g., 
assume the existence of two points P s nk and Pf ar , such that P sn k is closer to the 
sink than Pf ar (see Fig. 5). To prove that the agents will move away from the 
sink, we must show 
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Two cases result, based on the orientation of the lattice coordinate axis. (V is 
at the bottom of Fig. 5, below the axis.) 


Case I occurs when the lattice coordinate axis points in the opposite direction 
to the fluid flow, so that both u sn k and u^ are negative (see Fig. 5). For this 
case, the assumptions are 

1. d 1 2 3 4 u/dx 2 > 0 

2. du/ dx 0; thus 0 ^ tisnk "^far 

3. 8 2 p/dx 2 < 0 

4. dp/dx < 0 and therefore p sn k > pfar 



The agent will continue moving away from the sink if (8) is true. From assump- 
tion 1 we observe that 
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Likewise, assumption 3 implies 
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The remaining assumptions with algebraic simplification prove that (8) is true. 
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Case II is when the direction of fluid flow and the lattice coordinate axis are 
the same, so that 

1. d 2 u/dx 2 < 0 

2. du/dx < 0; thus 0 < u sn k < u far 

3. d 2 pjdx 2 < 0 

4. dp[ dx > 0 and therefore p sn k > Pfar 

From assumptions 1 and 3 we conclude that 
\du] 


dx 


< 


snk 


du 

and 

dp' 

< 

'dp 

dx_ 

far 

dx 

snk 

dx 


J far 


Algebraic simplification using assumptions 2 and 4 proves Case II. 


Simulation results for this lemma are presented in Fig. 6. Confirming the 
theoretical results just obtained, the high-density chemical build-up in the cen- 
ter of the environment does not fool the fluxotaxis algorithm, which correctly 
avoids the local spike in the density by directing the agents (again represented 
by black boxes) to the outer edge of the tracing region, where as cam be seen 
from the divergence plot, the maximum mass flux divergence occurs. The Di- 
vergence Lemma 2 proves that a fluxotaxis- driven agent lattice will escape from 
a sink :. However, a simple chemotaxis strategy is easily fooled by sinks, since 
by definition of a sink, dpjdx > 0 going into the sink. The fluxotaxis scheme 
is more robust in this case because it looks at the second order partial of p, 
and also takes the divergence of velocity into account. This simulation provides 
an example of how effectively the fluxotaxis technique merges the chemotaxis 
and anemotaxis CPT methods into a physically sound algorithm with valuable 
self- correcting properties. 


7 Summary and Future Work 

In this paper, we presented a new chemical plume tracing algorithm called flux- 
otaxis, that combines key strengths of chemotaxis and anemotaxis - the two 



Chemical Density (the highest density is in the center, but the emitter is absent): 



Fluid Velocity (radial flow slows down near the center): 


Lattice-Computed Divergence of Mass Flux (the maximum is at the outer edges): 



Two-Sided Lattice Trace (agents move outward, away from the center of the sink): 

□ B H BBBE3BE1 □ □ □ 

< 1 i ► 

Fig. 6. Simulated performance of the fluxotaxis algorithm within the chemical sink 
from the Divergence Lemma 2. As stated in the proof and visualized in the last time- 
step diagram, the robust fluxotaxis method forces the agent lattice out of the sink, 
even if the lattice starts out directly in the center of the sink, where the chemical 
concentration is at a local maximum. The robust physical foundation of the fluxotaxis 
algorithm allows it to outperform the simpler chemotaxis CPT strategy 


most popular plume tracing methods. We showed that the fluxotaxis algorithm 
has been developed from the fundamental physical principles of fluid flow, and 
that it is able to overcome a major flaw of chemotaxis. We also built a formal 
mathematical tool set that we will employ to further improve the algorithm. 
In particular, we plan to soon extend the basic fluxotaxis approach outlined 
here to handle turbulent eddies, thus overcoming a major flaw of anemotaxis. 
To experimentally confirm our theoretical results, we will implement the algo- 
rithm on a massively distributed system of simple robotic agents currently under 
development for the task of toxic chemical plume emitter localization. 

The most important contribution of our work is the development of a mobile 
robotic swarm control algorithm that can be analyzed with formal methods, such 
that the agents 5 behavior can now be mathematically predicted and guaranteed. 
Some of our work is relevant to the design and evaluation of artificial worlds, as it 
develops and refines methods for emulation of real-world physics in a simulated 
environment. The distributed nature of the CFD computations performed by 
the robotic swarm may also be of interest to the community: The contribution 
of this research is interdisciplinary and has a wealth of applications in domains 
other than the chemical plume tracing we discussed in this paper. 
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Abstract. The design of reactive systems must comply with logical cor- 
rectness (the system does what it is supposed to do) and timeliness (the 
system has to satisfy a set of temporal constraints) criteria. In this pa- 
per, we propose a global approach for the design of adaptive reactive 
systems, i.e., systems that dynamically adapt their architecture depend- 
ing on the context. We use the timed automata formalism for the design 
of the agents’ behavior. This allows evaluating beforehand the properties 
of the system (regarding logical correctness and timeliness), thanks to 
model-checking and simulation techniques. This model is enhanced with 
tools that we developed for the automatic generation of code, allowing 
to produce very quickly a running multi-agent prototype satisfying the 
properties of the model. 

Keywords, agent oriented software engineering, formal models, agent 
oriented programming 


1 Introduction 

Real-time reactive syste ms are defined through their capability to continuously 
react to the environment while respecting some time constraints. In a limited 
amount of time, the system has to acquire and process data and events that 
characterize its temporal evolution, make appropriate decisions and produce 
actions. Thus, the robustness of the system relies on its capability to present 
appropriate outputs (logical correctness) at an appropriate date (timeliness). 
Such applications are often critical. Their hardware and software architectures 
have to be specified, developed and validated with care. Then, they are set 
in order for the system to have a detenninist and predictable behavior. The 
interest of multi-agent systems in this context may be considered as limited, 
especially because of autonomy and proactivity properties generally attributed 
to agents. In fact, the decision step in real-time systems is very often hidden and 
examples of usages of multi- agent paradigm in the x cwtiSiC context exploit 

the distributed aspects of multi-agent systems much more than the autonomy 
aspects. 

In this paper, we aim at addressing systems in which time constraints are 
neither critical (obtaining a response a little bit later than specified is accept- 
able) nor strict (when a normal delay of response is exceeded, the result is not 
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immediately worthless but its value decreases more or less quickly with time). 
Another characteristic of such systems is the variability and unpredictability 
of treatments to process and their priority, but also of the availability of ac- 
tive entities (processors) in charge of processing. In such a context of dynamic 
scheduling in distributed systems, there is no solution yet capable to guarantee 
the respect of timing constraints. Our purpose is then to design this scheduling 
so as to optimize the compromise between the respect of logical correctness and 
timeliness, possibly by loosening some constraints when all of them cannot be 
satisfied simultaneously. 

More precisely, rather than scheduling in its classical understanding, our 
concern here is the problem of adaptive reconfiguration of the processing chain 
during the execution. This reconfiguration can occur according to the available 
resources (sensors, processors, effectors), to the wished logical correctness, to 
the measured timeliness and to the events occurring in the environment. But, 
instead of doing this in a centralized manner, the agents will need to control the 
reconfiguration themselves, in addition to their normal activity of data process- 
ing. 

Our objective here is to propose a complete approach, from a software engi- 
neering point of view, for the design of adaptive multi-agent systems. It covers 
all stages of software life cycle, from an abstract specification of the application 
architecture to a testable implementation, including formal verification of prop- 
erties and simulation. The method is based on the formalism of timed automata 
[?], which allows to express systems as a set of concurrent processes satisfying 
some time constraints (section ??). We show that this formalism may be used in 
order to model a multi-agent system from the angle of data processing as well 
as that of dynamic treatment chain reconfiguration (section ??). Then, we show 
how model-checking and simulation may be used to verify selected properties of 
the system and analyze a priori its behavior (section ??). Finally, we address the 
problem of semi- automated translation from a timed automata specification to 
executable agents (section ??). But before giving more details about this work, 
it is necessary to give some words of explanation about our target application 
and its specificities. 


2 Target application and objectives 

The context in which we develop our approach is the project that we call Dance 
with Machine [?]. This project aims at staging a real-time dialogue between a 
human dancer- actor and a multimodal multimedia distributed cognitive system. 
The role of the latter is to achieve in real-time the captation and analysis of 
the performance of the dancer, and to build a multimedia answer to it. This 
answer may consist in visual animations projected on screens around the dancer, 
musical sequences, or actions by robots or other physical objects. We consider 
this application as a metaphorical transposition of the kind of interactions that 
we may forecast between human users and communicating objects. This is called 
Ambient Cognitive Environments (ACE), i.e., physical environments in which 
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perception, processing and action devices have to organize dynamically and in a 
cooperative way in order to provide users with natural interaction and extended 
services. 

The computerized setup is composed of a set of processors equipped with 
communication capabilities. They may also be connected to sensors (video cam- 
eras, biometric sensors, localization sensors, etc.) or effectors (screens, loudspeak- 
ers, engines, etc.). Each processor may run one or several agents, each of them 
being specialized for a specific kind of treatment. Data retrieved from the sensors 
must be handled by several agents before being converted into actions. Agents’ 
work is to analyze, synthesize and transform the data that they get. Data pro- 
duced by an agent are then transmitted to other agents in order to continue the 
processing. The data are finally used to generate pictures, sounds or actions, 
either when the analysis is precise enough, or when the available time is too lim- 
ited. Figure ?? shows a very simplified view of this process. Only one perception 
modality is represented, which corresponds to a video camera. 



Fig. 1. Global architecture of the processing chain in the project “Dance with Machine” . 


The use of agents in this context is justified by the distributed nature of 
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the application (captation, processing and action are distributed among several 
objects and processors). But the main reason why we use agents is to make 
the whole system adaptive in various contexts: when components are added 
or removed, when the global behavior of the system must change, or when time 
constraints are not met by the system. The main time constraint that the system 
should respect is the latency, i.e., the time between the acquisition of data by 
sensors, and the production of corresponding actions by the system, under one 
form or another. This latency should of course be kept as low as possible so that 
the reaction of the system seems instantaneous (at least very quick). On the 
other hand, the analysis of the dancer’s performance should be kept as precise 
and thorough as possible. These two constraints are potentially contradictory 
since a precise and thorough analysis can take significantly more time than a 
rough and superficial one. The quality of an analysis can be measured along two 
complementary dimensions: the precision (for the measure of a parameter of the 
performance) and the thoroughness (when optional treatments are possible, a 
superficial processing will be limited to what is compulsory). 

Our main purpose is to allow a very quick evaluation of various strategies in 
the control of the processing chain, in order to produce an efficient agent-based 
implementation of the system. We achieve it using a formal model of the sys- 
tem along with tools that we developed to automate the implementation of a 
functional prototype. Model-checking allows to verify that the systems complies 
to the specified constraints (latency, non-blocking, sequentiality of treatments, 
etc.). Simulation, for its part, allows to evaluate the quality of the compromise 
between logical correctness (is the quality of processing satisfactory?) and time- 
liness (does the system comply to time constraints?). 


3 Introduction to timed automata 


Real-time systems may be specified using numerous dedicated methods and for- 
malisms. Most of them are graphical semi- formal notations allowing a state ma- 
chine representation of the behavior of the system. Among the most popular 
formalisms, we may quote Grafcet [?], SA/RT [?], Statecharts [?], UML/RT [?]. 
Such visual representations do not enable to verify the properties of systems and 
it is necessary to associate a formal semantics to them, based in general on pro- 
cess algebras [?], Petri nets [?] or temporal logics [?]. Proposing a new formalism 
is not our intention here. On the contrary, we prefer to examine the potential 
benefit of real-time specification and verification techniques in the design and 
the programming of agent- based reactive systems. We chose for this purpose to 
use timed automata [?]. This formalism has the advantage to be relatively sim- 
ple to manipulate and to possess adequate expressivity in order to model time 
constrained concurrent systems. Moreover, there exists for this model powerful 
implemented tools (eg., UPPAAL [?]) allowing mo del- checking and simulation. 


1 Lfr 
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3.1 Standard model 

A timed automaton is a finite state automaton provided with a continuous time 
representation through real-valuated variables, called clocks , allowing to express 
time constraints. Generally, a timed automaton is represented by an oriented 
graph, where the nodes correspond to states of the system while the arcs corre- 
spond to the transitions between these states. The time constraints are expressed 
through clock constraints and may be attached to states as well as to transitions. 
A clock constraint is a conjunction of atomic constraints which compare the value 
of a clock belonging to a finite set of clocks, to a rational constant c. Each 
timed automaton has a finite number of states (locations), one of them being dis- 
tinguished as initial In each state, the time progression is expressed by a uniform 
growth of the clock values. In that way, in a state at each instant, the value of the 
clock x corresponds to time passed since the last reset of x. A clock constraint, 
called an invariant , is associated to each state. It has to be satisfied in order for 
the system to be allowed to stay in this state. Transitions between states are in- 
stantaneous. They are conditioned by clock constraints, called guards , and may 
also reset some clocks. They may also carry labels allowing synchronization. An 
example of timed automaton and a corresponding possible execution is shown 
in figure ??. 



Fig. 2. Example of a timed automaton, where x is a clock. The guard x > 2 and the 
invariant x < 3 imply that the transition will fire after 2 and before 3 time units passed 
in the state. 


The behavior of a complex system may be represented by a single timed 
automaton being a product of a number of other timed automata. The set of 
states of this resulting automaton is the Cartesian product of states of the com- 
ponent automata, the set of docks is the union of clocks, and similarly for the 
labels. Each invariant in the resulting automaton is the conjunction of the in- 
variants of the states of the component automata, and the arcs correspond to 
the synchronization guided by the labels of the corresponding arcs. 

3.2 Extensions in UPPAAL 

We use UPPAAL for our modelling; a detailed presentation of this tool may be 
found in [?]. We remind here only the main characteristics and extensions with 
respect to the standard model [?]. In UPPAAL, a timed automaton is a finite 
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structure handling, in addition to a finite set of clocks evolving synchronously 
with time, a finite set of integer-valuated and Boolean variables. A model is 
composed of a set of timed automata, which communicate using binary synchro- 
nization through transition labels and a syntax of emission/reception. By con- 
vention, a label fc! indicates the emission of a signal on a channel k. It is supposed 
to be synchronized with the signal of reception, represented by a complementary 
label kl. Absence of synchronization labels indicates an internal action of the 
automaton. The execution of the model starts in the initial configuration (cor- 
responding to the initial state of each automaton with all variable values set to 
zero), and is a succession of reachable configurations. The configuration change 
may occur for three reasons: 

- by time progression corresponding to d time units in the states of the com- 
ponents, provided that all the state invariants are satisfied. In the new con- 
figuration, the clock values are increased by d and the integer variables do 
not change; 

- by a synchronization if two complementary actions in two distinct compo- 
nents are possible, and if the corresponding guards are satisfied. In the new 
configuration, the corresponding states are changed and the values of clocks 
and of integer variables are modified according to the reset and update in- 
dications; 

- by an internal action if such an action of a component is possible, it may be 
executed independently of the other components: the state and the variables 
of the component are modified as above. 

Another peculiarity of UPPAAL, useful in expressing a kind of synchronicity 
of moves, is the notion of “committed" states, labelled in the figures by a special 
label C; see, for instance, the state Choice in the first automaton of figure ??. 
In such a state, no delay is permitted. This implies an immediate move of the 
concerned component. Thus, two consecutive transitions sharing a committed 
state are executed without any intermediate delay. 

UPPAAL allows simulating systems specified in this way, detecting deadlocks 
and to verify, through model-checking, various reachability properties. Typically, 
it can answer the questions like “starting from its initial state, does the system 
reach a state where a given property is satisfied?”, “starting from its initial state, 
is a given property always true?”, or “starting from its initial state, can the 
system reach a given state in a given delay?”. 

4 Modelling a decentralized reactive system 

As stated earlier, timed automata allow to model systems as a set of concurrent 
processes. We will detail gradually in the sequel the way they may be applied 
to our case study. The behavior of our agents consists in receiving and pro- 
cessing input data in order to generate and send new outputs. The processing 
has a duration, considered as fixed, and has to be performed repeatedly. The 
corresponding model is shown in figure ??. 
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agcnt_clk >= min_time 
WorkForAgentN 1 ! 


agent_.dk <= maxjime 


WorkForAgentN? 

lost_data++ 


Fig. 3. A model of a simple agent. 


Initially, the agent is waiting for new data in the state Idle. It starts processing 
on reception of the signal WorkForAgentN passing to the state Processing . It 
comes back to the state Idle at the end of its treatment, which takes a time 
comprised between mm__ time and rnax_ time. The following agent is informed 
then (through the synchronisation on the channel WorkForAgentN 1 ), that it can 
start processing. 

This simple model presents however the following drawback: if a new treat- 
ment request comes to an agent when it is already processing, the corresponding 
data is lost. The number of such events is counted by incrementing the variable 
lost_data. Nevertheless, the loop at the state Processing is necessary to avoid 
deadlocks which may occur if the situation described above happens. A solution 
can be to introduce an additional state playing the role of a buffer (see figure ??). 


Idle 



WorkForAgentN? 
agent_clk 0 


Processing 




Buffer 



agent_.dk <= max_thne 


WorkForAgentN? 

lost_data++ 


agent_clk >= min_time agent_clk >= min_time 

WorkForAgentN 1 ! WorkForAgentNl ! 

agent_clk := 0 


Fig. 4. A model of an agent with a buffer. 


Now, if a new request arrives to the agent while it is in the state Processing , it 
passes to the state Buffer. Then, it comes back to the state Processing at the end 
of the treatment, in order to start a next one. If a new request comes when the 
agent is already in the state Buffer , then the corresponding data is lost. At this 
stage, we shall still take into account the fact that a few modules (corresponding 
to various precisions of the processing) are available and may be used to analyze 
the dancer’s posture. A first approach consists in duplicating the agent in charge 






8 


G. Hutzler, H. Klaudel and D.Y. Wang 


of the corresponding treatment by associating to each copy a different duration 
constant. However, when a new data is available, it is transmitted to one of the 
agents chosen in a non-deterministic way. Thus, it is necessary to incorporate 
in the agent a controller responsible for choosing between different treatment 
modules. This solution is represented in figure ??. 


Free? 



condition_on_agent_cIk 
WorkForModulel ! 

Idle Choice /- ^ EndChoice 


Dice /■ v 

< $ 


!condition_on_agent_clk 
WorkForModule2 ! 


EndControl! 


Modulelldle 


WorkFor Module 1 ? 
module_clk := 0 


ModuIelFree 

<£> 


ModulelProcessing 
module__clk <= max_time 


Free! 


module_clk >= min^time 
WorkForAgenlN 1 ! 


Module2Idle 


WorkForModule2? 
module_clk := 0 


Module2Processing 


Module2Free 

— <£> 


module_clk <= max_time 


module_clk >= min_time 
WorkFor AgentN 1! 


Fig. 5 . A model composed of a generic agent, a controller module and two treatment 
modules. 


When some data is ready to be processed, the controller module passes in the 
state Choice . The agent chooses to execute a treatment module depending on 
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the value of the boolean expression condition _ on_ agent _ elk . When the chosen 
module achieves processing, it informs about it the next agent in the processing 
chain, then it informs the controller by sending the signal Free. 

5 Verification and simulation 

The controller presented in the previous section needs of course to be instanti- 
ated by fixing explicitly the criteria determining the choice between treatment 
modules. We present three different strategies that may be considered and ad- 
dress verification and simulation experiences which may be accomplished for 
some interesting properties. The particular context considered for this study is 
explained in figure ??. 



Fig. 6. A simplified scheme of the processing chain. 


The extraction agent produces an image every 50 ms, which has to be treated 
by the agent in charge of the analysis. This treatment should be performed either 
by a module capable to accomplish a complete analysis or by a module which 
can do only a partial one but taking time (t^T-eatmeTits ^ f treatment i ) ■ The 
controller has to be designed in such a way that it could be possible to conciliate 
two potentially contradictory criteria: analyzing all images or, in other words, 
avoiding loosing too many of them (timeliness) and performing a maximum of 
complete analyzes (logical correctness). 


5.1 Different strategies of choice 

The first proposal is not really a strategy but we give it as a reference. It consists 
only in systematically alternating the two treatment modules. 

In order to minimize the loss of images, the idea is to anticipate, when the 
agent performs the choice (t choice)? the date when the agent will receive a new 
image to analyze while it has already an image in its buffer and has not termi- 
nated its current analysis (ti oss ). This is possible since the frequency of arrivals 
of new images is constant. Thus, in the second strategy, the module 1 will be 
chosen if and only if tt reatmentl < ti oss - 

t choice • 

In order to maximize the number of complete analyzes, one can loosen the 
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previous constraint by allowing to use the module 1 even if its execution will 
necessarily entail a loss of an image. In the third strategy, the module 1 will be 
chosen if and only if t treatmenti ^ ( tioss t choice ) * co&f , where co&f fixes the 
limits of allowance. 

5.2 Results 

For each strategy, it is possible to check with UPPAAL that the system satisfies 
certain properties. In particular, we checked that: 

- there is no deadlock: A[ ] not deadlock; 

- there is no image lost: A[ ] lost_data == 0; 

- the ratio of the choice of module 1 is grater than a given threshold: 

A[ ] (nbl * 100 / (nbl + nb2 + Jost_data)) > 50). 

Moreover, it is possible to simulate the system during a given number of cycles 
and to check experimentally the ratio of lost images and images which could be 
analyzed completely versus treatment times t tre atmtnt x and t tr eatment 2 > as shown 
in figure ??. 

Model-checking techniques allow to verify formally and automatically if some 
properties of the system, considered as important, are satisfied in all possible sys- 
tem evolutions. On the other hand, simulation permits to obtain some empirical 
evaluation of performances of the system in terms of logical correctness and 
timeliness, depending on the characteristics of treatment modules and on the 
applied strategy. This allows also envisaging a supplementary control level for 
the agent in charge of the image analysis. This corresponds to a kind of “meta- 
strategy” which could adapt dynamically the strategy of choice depending on 
various constraints and fixed objectives. 

6 Automated code generation 

After having validated the model of the multi -agent system, both formally and 
experimentally, the next stage of development corresponds to translating it into 
an executable prototype. In order to do so, a naive idea could consist in imple- 
menting each timed automaton by a thread, since they are models of concurrent 
processes. Nevertheless, for a same agent modelled by several automata, it could 
involve several synchronization and lead to decline sensibly its performances, 
which could be awkward for a reactive system. Thus, a first step consists in per- 
forming first a synchronized product of all automata describing the same agent 
in order to transform it next into a skeleton of an application. The compiler that 
we developed produces this synchronized product by performing also a number 
of optimizations in order to minimize the size of the resulting automaton. Each 
agent is modelled consequently by a unique timed automaton, which can be 
translated into an executable form in several steps. First, only the finite state 
automaton aspects of the given timed automaton are considered. The states 
where it is necessary to let the time progress are assumed to correspond to some 
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— % module 1 - strategy 1 

% lost data - strategy 1 

% module 1 - strategy 2 

% lost data -strategy 2 

% module 1 - strategy 3 
% lost data - strategy 3 


Fig. 7. The ratio of images analyzed with the module 1 (on the left) and the ratio of 
lost images (on the right), obtained for the second strategy and various values of time 
of treatment for modules 1 and 2. On the bottom, a comparison of the three strategies 
for treatment! = 80ms and coef= 1.25, for various values of treatments - 


treatments. Our compiler translates it in terms of a state in which the agent does 
a break (which is supposed to be replaced by the corresponding treatment mod- 
ule when it is available). Finally, the synchronization signals between automata 
are associated to communications between the corresponding agents. 

7 Conclusion 

We presented in this paper a complete approach, from the software engineer- 
ing point of view, for the modelling of adaptive real-time systems based on the 
multi-agent paradigm. The usage of timed automata specification and verifica- 
tion techniques played here a central and unifying role. We showed how this 
formalism, thanks to its capabilities to model concurrent processes having time 
constraints, can be adapted in order to represent multi-agent systems. Moreover, 
we demonstrated that it could be possible to model in a modular way an agent 
controller, capable to make decisions depending on some fixed objectives. 

The advantage one can take from this formal specification is twofold: First, 
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it is possible to check the model against various kinds of deadlock (or timelock) 
and more generally, against any property coming from a non-respect of time con- 
straints, and avoid this way some problems at a very early stage of development. 
Second, it is worthwhile to take advantage of timed automata representation of 
the system in order to generate automatically application skeletons. To do so, we 
developed a specific compiler which, taking an XML representation of the timed 
automata specification, produces a skeleton based on the JADE multi-agent 
platform [?]. This prototype is finally used to validate choices made previously, 
during modelling and implementation, and to review and modify some of them 
if necessary. 

Finally, the general purpose of this work consists in exploiting the approach 
described in this paper, the design patterns and the composition tools, in order to 
facilitate the design of an entire system. These design patterns could be coupled 
with machine learning techniques for the exploration of parameter spaces, in 
order to optimize agent behaviors when the model becomes more complex. Also, 
it would be interesting to develop an experimental protocol in order to validate, 
on the real prototype, the properties observed on the model. In this context, the 
presented work, even if it is at a preliminary stage, demonstrates however the 
feasibility of this approach and allows to foresee favorably the development of 
powerful and complete tools dedicated to the implementation of reactive multi- 
agent systems. 
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Abstract. Rigorous Verification and Validation (V& V) techniques axe 
essential for high assurance systems. Lately, the performance of some of 
these systems is enhanced by embedded adaptive components in order 
to cope with environmental changes. Although the ability of adapting 
is appealing, it actually poses a problem in terms of V&V. Since uncer- 
tainties induced by environmental changes have a significant impact on 
system behavior, the applicability of conventional V& V techniques is 
limited. In safety-critical applications such as flight control system, the 
mechanisms of change must be observed, diagnosed, accommodated and 
well understood prior to deployment. 

In this paper, we propose a non-convent ional V&V approach suitable for 
online adaptive systems. We apply our approach to an intelligent flight 
control system that employs a particular type of Neural Networks (NN) 
as the adaptive learning paradigm. Presented methodology consists of a 
novelty detection technique and online stability monitoring tools. The 
novelty detection technique is based on Support Vector Data Description 
that detects novel (abnormal) data patterns. The Online Stability Moni- 
toring tools based on Lyapunov’s Stability Theory detect unstable learn- 
ing behavior in neural networks. Cases studies based on a high fidelity 
simulator of NASA’s Intelligent Flight Control System demonstrate a 
successful application of the presented V&V methodology. 


1 Introduction 

The use of biologically inspired soft computing systems (neural network, fuzzy 
logic, AI planners) for online adaptation to provide adequate system function- 
ality in changing environments has revolutionized the operation of realtime au- 
tomation and control applications. In the instance of a safety-critical adaptive 
flight control system, these changes in the environment can be, for example, a 
stuck stabilator, broken aileron and/or rudder, sensor failure, etc. Stability and 



safety are two major concerns for such systems. In recent years, NASA con- 
ducted series of experiments evaluating adaptive computational paradigms for 
providing fault tolerance capabilities in flight control systems following sensor 
and/or actuator failures. Experimental success suggest significant potential for 
developing and deploying such fault tolerant controllers for futuristic airplanes 
[1—4]. 

The non-probabilistic evolving functionality of realtime controllers, through 
judicious online learning, aid the adaptive system (aircraft) to recuperate from 
operational damage (sensor/ actuator failure, changed aircraft dynamics: broken 
aileron or stabilator, etc). This adds an additional degree of complexity and sys- 
tem uncertainty. Since it is practically impossible to estimate and analyze before- 
hand all possible issues relative to adaptive system’s safety and stability, these 
systems require a non-conventional, sophisticated V&V treatment. While adap- 
tive systems in general are considered inherently difficult to V&V, system uncer- 
tainties coupled with other real time constraints make existing traditional V&V 
techniques practically useless for online adaptive systems and implementation of 
a non-conventional V&;V technique a challenging task [5,6]. This (in)ability to 
provide a theoretically valid and practically feasible verification and validation 
remains one of the critical factors limiting wider use of neural networks based 
flight controllers [5-7]. 

We propose a non-conventional V&V approach and derive a validation method- 
ology suitable for online adaptive systems. We apply our approach to an adap- 
tive flight control system that employs Neural Networks (NN) as the adaptive 
learning paradigm. Presented V&V methodology consists of an online novelty 
detection technique and online stability monitoring tools. The novelty detection 
technique is based on Support Vector Data Description (SVDD) in order to de- 
tect novel (abnormal) data patterns. As a one-class classifier, the support vector 
data description is able to form a decision boundary around the learned data 
domain with very little or even zero knowledge outside the boundary. The online 
stability monitoring tools based on Laypunov stability theory are designed to 
detect unstable (unusual) NN behavior. The underlying mathematics of the on- 
line monitoring tools is a rigorous mathematical stability verification technique. 
This technique emphasizes the need for a precise stability definition for adaptive 
systems and reasons about the self-stabilizing properties of the adaptive neural 
network within the control system’s architecture. 


1.1 Paper Overview 

We propose a V&;V framework that is suitable for online adaptive systems in 
Section 9 The presented validation approach requires an understanding of two 
complementary novelty detection and stability analysis techniques that are dis- 
cussed in detail in Sections 3 and Section 4. In Section 5, test cases and simula- 
tion results describing the operational behavior of the online novelty and stability 
analysis are discussed in detail. We conclude the paper with a brief discussion on 
the prospects of the presented V&V approach for other online adaptive systems 
in Section 6. 



2 A V&V Framework 


One of the goals of our V&V and safety assurance approach is to ensure the 
correct diagnosis followed by blocking/permitting of novel (abnormal or unreli- 
able) data from entering the online adaptive component, the neural network. We 
propose to use novelty detectors and safety monitors as online filters [8]. Figure 1 
illustrates the V&V framework. The SVDD data analysis technique is capable of 
detecting anomalies in the neural network’s inputs and outputs. Safety monitors 
disallow the propagation of unsafe controller gains (adjustments) from entering 
the controller. It is evident that such a device must require a wide range of 
system (aircraft) domain- knowledge. Therefore, we seek to define a control error 
adjustment and detection technique suitable for alerting from anomalous, unsta- 
ble, and eventually unsafe aircraft behavior if the outputs from neural network 
adaptation were to enter the controller. 
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Fig. 1 . Adaptive Flight Control System’s V&V Framework. 


Another key step of the validation framework is the runtime stability mon- 
itor. Its goal is to determine whether, under given flight conditions, the neural 






network converges, i.e., if its state transition trajectories lead to a stationary 
state. The online monitor is complemented by mathematical stability proofs [9] 
that can define its engagement or disengagement. In other words, to preserve 
computational resources the online monitor may not be engaged in flight condi- 
tions that are considered to be a priori safe. 


3 Novelty Detection Technique 

In general, novelty detection techniques require beforehand knowledge of both 
nominal and off-nominal flight domains. However, for the validation of NN in 
online adaptive systems, it is impossible to anticipate all possible adverse en- 
vironmental conditions and/or failure modes. Under flight failure scenarios, the 
performance of most regular classification models deteriorate due to restrictions 
in their generalization capabilities and low quality data. As a one-class clas- 
sification tool, Support Vector Data Description (SVDD) technique is derived 
from Support Vector learning theory by Tax et. al. [10, 11]. Differing from gen- 
eral support vector classifiers that decide the maximum margin hyperplane to 
separate two classes, SVDD method tries to find an optimal decision boundary 
for a given data set. Thus, it provides the best possible representation of the 
target-class and offers inferences that can be used to detect the outliers from the 
nominal feature space. This, for our validation purposes, can be defined as the 
“safe region ”, relating to nominal flight conditions. 

SVDD is developed from the concept of finding a sphere with the minimal 
volume to contain all data [12-14]. Given a data set S consisting of N examples 
x iy i = 1, IV, the SVDD’s task is to minimize an error function containing the 
volume of this sphere. With the constraint that all data points must be within the 
sphere, which is defined by its radius R and its center a, the objective function 
can be translated into the following form by applying Lagrangian multipliers, 


L(jR, a, oti) = R 2 - ^ a i{^ 2 “ ( x2 — 4- a 2 )} 


where a* > 0 is the Lagrange multiplier. L is to be minimized with respect to 
R and a and maximized with respect to a*. By solving the partial derivatives of 
Z/, we also have: 


X4 = 


and 


O, — ^ 


which gives the Lagrangian with respect to a z : 


l= y^qjfe- Xi) - a ' a : ( x > • x i) 


where a* > 0 and a i ~ 1- 


\%\ 


Fig. 2. SVDD with different distances from the center. 



In the solution that maximizes L } a large portion of a*’s become zero. The 
rest of ai’s are greater than zero and their corresponding objects are those called 
support objects. They lie on the boundary that forms a sphere that contains the 
data. Hence, object z is accepted by the description when: 

i v - a ii 2 = (2 - X a<x >)( z - X aiXi ) - r2 ■ 

i i 

Real world systems usually produce multi-dimensional highly nonlinear data 
that are inseparable by a linear discriminant. This makes the data description 
harder to obtain. Similar to the Support Vector Machine (SVM) [10], by replacing 
some kernel function K{x > y) with the product of (x,y) in the above equations, 
we are able to map our data from a high dimensional space onto a Hilbert space, 
which is also referred to as the “feature space”. In the feature space, objects can 
be classified with lower complexity. Selecting the well-known Gaussian kernel 
function, where K(x,y) ~ exp(—\\x — y|| 2 /s 2 ), we now have: 

£ = 1 - X Q i -X^i^i' 1 ))' 

i i^j 

The formula of checking object z now becomes: 

1 - 2 ^2 a iK(z,Xi) + '^a i O£ j K(xi } Xj) < R 2 . 

i ij 

Since the SVDD is used as a one-class classifier, in practice, there are no 
actual outliers well defined other than those randomly drawn from the rest of 
the space outside the target class. However, by applying the SVDD method, 
we can obtain a relatively sound representation of the target class. To detect 
outliers, a more precise criteria should be inferred from empirical testing or 
pre-defined thresholds. By setting the boundaries to a certain distance from 



the center, Figure 2 illustrates the different boundaries with respect to different 
parameter settings. A rule of thumb here is that the greater the value of the 
distance from the center, the rougher the boundary. Therefore, the number of 
the outliers that can be detected decreases. In practice, a pre-defined threshold 
can be used as the furthest distance of a data point from the center, which the 
system can tolerate. Such pre-defined thresholds need sufficient testing within 
each specific data domain. 

4 Online Monitoring 

Self-organizing neural networks, introduced by Kohonen [15] and modified by 
several others [17-19] over the last twenty years, offer topology-preserving adap- 
tive learning capabilities that can, in theory, respond and learn to abstract from 
a much wider variety of complex data-manifolds, the type of data encountered 
in an adaptive flight control system. 

The adaption of neural networks can successfully model the topology and 
abstract the information from data patterns that have a predictable structure. 
However, during online adaptation, the data patterns may be presented to the 
network at a varying sampling rates. The presented data can exhibit pathological 
dimensional stratification, such as uniformity or functional discontinuities. It 
has been observed (experimentally) that under these circumstances, the neural 
network encounters difficulties in learning and abstracting information from the 
presented data, eventually leading to a deteriorating network performance. In 
such cases the neural network might fail in its primary goal “to successfully learn 
and provide a better estimate of the learnt parameters to the flight controller”. 
This degradation in the network’s performance is depicted in a loss of its self- 
stabilizing properties. The goal of an online stability monitor is to capture and 
analyze the self-stabilizing properties of the network in the hope that it will be 
able to detect unstable neural network behavior and warn the pilot/system of 
the imminent threat to the controller. 

The construction of an online stability monitor is based on rigorous mathe- 
matical stability analysis methodology, Lyapunov's direct method [16]. According 
to this method, a system is said to be stable near a given solution one can con- 
struct a Lyapunov function (scalar function) that identifies the regions of the 
state space over which such functions decrease along some smooth trajectories 
near the solution. In the discrete sense, Lyapunov stability can be defined as 
follows: 

Definition L Lyapunov Stability 

If there exists a Lyapunov function , V : M° —* R, defined in a region of state 

spittCC Ticuj (i SOtUotO i y uj u SUCh that 

1 . V(0) = 0 

2. V (x) > 0 : Vx €O,r^0 

3 . V(x(ti+i)) - V{x(ti)) = AV{x) < 0 ; Vx <E O 

then the solution of the system is said to stable in the sense of Lyapunov. 



x = 0 represents a solution of the dynamical systems and M°, O represent the 
output space and a region surrounding this solution of the system respectively. 

According to the above definition a system is stable if all solutions of the 
state that start nearby end up nearby. A good distance measure of nearby must 
be defined by a Lyapunov function (V*) over the states of the system. By con- 
structing V, we can guarantee that all trajectories of the system converge to a 
stable state. The function V should be constructed keeping in mind that it needs 
be scalar (V 6 R) and should be non-increasing over the trajectories of the state 
space. This is required in order to ensure that all limit points of any trajectory 
are stationary. 

Definition 2. Asymptotic Stability (AS) 

If in addition to conditions 1 and 2 of Definition 1 } the system has a negative- 
definite Lyapunov function 


AV{x) < 0 : Vx € O (1) 

then the system is Asymptotically Stable. 

Asymptotic stability adds the property that in a region surrounding a solution 
of the dynamical system trajectories are approaching this given solution asymp- 
totically. 

Definition 3. Global Asymptotic Stability (GAS) 

If in addition to conditions 1 and 2 of Definition 1 : the Lyapunov function is 
constructed such that , 


limV(:r) = 0 (2) 

t — *oo 

over the entire state space then the system is said to be Globally Asymptotically 
Stable . 

A notable difference between AS and GAS is the fact that GAS implies any 
trajectory beginning at any initial point will converge asymptotically to the 
given solution, as opposed to AS where only those trajectories beginning in the 
neighborhood of the solution approach the solution asymptotically. The types of 
stability defined above have increasing property strength. 

Global Asymptotic Stability Asymptotic Stability => Lyapunov Stability. 

The reverse implication does not necessarily hold as indicated by the Venn 
diagram of Figure 3. Thus a strict Lyapunov function should force every tra- 
jectory to asymptotically approach an equilibrium state. Even for non- strict 
Lyapunov functions, it is possible to guarantee convergence by LaSalle’s invari- 
ance principle. In mechanical systems a Lyapunov function is considered as an 
energy minimization term. In economic and finance evaluations it is considered 



Fig. 3. Relative strengths of Stability 


as a cost-minimization term, and for computational purposes it can be consid- 
ered as an error-minimization term. Figure 4 shows a Lyapunov function for 
the NN operation where the decreasing cylinder radii indicate a converging, sta- 
ble operation. The online stability monitor essentially computes Lyapunov and 
Lyapunov-like functions (similar to the one shown in Figure 4) based on the cur- 
rent states of the neural network learner and analyze each function to evaluate 
the overall network stability. Thus, online stability monitoring complements an- 
alytical stability analysis techniques by being being able to detect system states 
that deviate away from stable equilibria in real-time. 



Fig. 4. A converging Lyapunov-like function. 



5 Case Study 


The knowledge gained through the design and evaluation of new control schemes 
is of direct use in performance verification and validation. Proper experimenta- 
tion is required to justify realism and applicability of the proposed techniques 
into actual practice. 

5.1 The Intelligent Flight Control System 

The Intelligent Flight Control System (IFCS) was primarily developed by NASA 
as a novel flight control system with the primary goal to “flight evaluate con- 
trol concepts that incorporate emerging soft computing algorithms (NN or AI 
techniques) to provide an extremely robust aircraft capable of handling multiple 
accident and/or an off-nominal flight scenario ” [1,2,7]. 
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Fig. 5. The Intelligent Flight Control System. 

The diagram of Figure 5 shows the architecture of the IFCS using Dynamic 
Cell Structure (DCS) neural network, referred to as the Online Learning Neu- 
ral Network (OLNN). The control concept can be briefly described as follows. 
Notable discrepancies from the outputs of the the Baseline (Pre-trained) Neural 
Network (PTNN) and the Real-time Parameter Identification (PID), either due 
to a change in the aircraft dynamics (loss of control surface, aileron, stabilator) 
or due to sensor noise/ failure, are accounted by the Online Learning Neural Net- 
work. The primary goal of OLNN is to learn online and provide a better estimate 
for future use of these discrepancies, commonly known as Stability and Control 
Derivative errors. The critical role played by the online learning neural network 
in fine-tuning the control parameters and providing a smooth control adjust- 
ments is the motivation for the need for a practical, nonconventional validation 
methodology. 

Major advances in the development of modern control laws have generated 
the need for developing very detailed and sophisticated simulation environments 
for R&D purposes. Novel techniques for adaptive flight control achieves maturity 





through extensive experimentation in simulated environments. Figure 6 shows 
the interface of the IFCS F-15 simulator developed by the WVU research team. 
The control framework of the simulator is based on the IFCS architecture, shown 
in Figure 5. Through the high fidelity simulator, we are able to collect valuable 
data representing nominal flight conditions as well as some failure scenarios. 



Fig. 6. NASA-WVU F-15 Simulator 


5.2 Flight-Data Description 

The simulation data depicts nom in al and off-nominal flight conditions of ap- 
proximately 10 seconds of flying time corresponding to 200 frames of data at the 
simulation rate of 20Hz. A data frame is a point in a seven- dimensional space 
corresponding to 4 sensor readings (independent variables) and 3 stability and 
control derivative errors from PID and PTNN (dependant variables). The NN 
tested here is the DCS — C z network, one of the five DCS-subnetworks of the 
IFCS. The independent variables are Mach number (the ratio of the speed of 
the aircraft to the local speed of sound), alpha (aircraft’s angle of attack) and 
altitude of the aircraft. The dependent variable are three stability and control 
derivative errors generated by the difference between PID and PTNN. 

In the following sections, we first present novelty detection results using 
SVDD on the NN training data. Online stability monitoring results for NN 
learning are described next. Both tools are tested on two failure mode data sets 
obtained from the simulator. The two specific types of failures induced in the 
IFCS simulator are control surface failures (stuck aileron, stabilator) and loss 
of control surface. A control surface failure (locked left stabilator, stuck at -h3 
Degree) is simulated into the system at the 100 th data frame. In another simu- 
lation, a loss of control surface (50% missing surface of right aileron) failure is 
also induced at the 100 th data frame. 



5.3 Novelty Detection Using SVDD 

We first simulate one run of nominal flight conditions of 40 seconds with a seg- 
ment of 800 data points saved. After running SVDD on the nominal data, we 
obtain a sound data description of nominal flight conditions. The data descrip- 
tion is then used to detect novel data that falls outside the boundary. The crosses 
in Figure 7(a) and Figure 8(a) represent the nominal data points on which the 
boundary is found by SVDD. 
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Fig. 7. Novelty detection results using SVDD on control surface failure simulation data, 
(a): SVDD of nominal flight simulation data is used to detect novelties, .(b): Novelty 
measures returned by SVDD tool for each testing data point. 
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Fig. 8. Novelty detection results using SVDD on loss of control surface failure simula- 
tion data, (a): SVDD of nominal flight simulation data is used to detect novelties, (b): 
Novelty measures returned by SVDD tool for each testing data point. 

We then use the boundary formed by SVDD to test on failure mode simu- 
lation data. Novelty detection results for control surface failure simulation data 
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and loss of control surface failure simulation data are shown in Figure 7 and Fig- 
ure 8 respectively. Circles in Figure 7(a) and Figure 8(a) represent failure mode 
simulation data. In the plot of Figure 8(a), depicting the loss of control surface 
failure, a large portion of failure mode data falls outside the boundary. The loss 
of control surface failure indicates a more substantial damage than the stuck-at 
type of failure. Consequently, the data points in Figure 8(a) fall further outside 
the nominal data boundary than the data points in Figure 7(a). The novelty 
measures shown in Figure 7(b) and Figure 8(b) are probability-like measures 
computed for each data point based on the distance from the SVDD boundary 
formed on the nominal flight condition data. Correspondingly, in plots of Figure 
7(b) and Figure 8(b), we can see that the novelty measures of loss of control sur- 
face failure data after 100 th data frame are larger than those of control surface 
failure data. In both figures, after the 100 th point, when failures occurred, SVDD 
detects the abnormal changes and returns with the highest novelty measures. 
This demonstrates the reasonably effective and accurate detection capabilities 
of our SVDD detector. 

5.4 Online Stability Monitoring 

Described novelty detection mechanisms provide an independent approach to re- 
liable failure detection, thus enhancing the ability of the system analyst, to eval- 
uate the mechanisms in charge of the activation adaptive component (s). Online 
stability monitors serve the purpose of evaluating whether adaptive subsystem 
provide adequate accommodation capabilities that address specific environmen- 
tal conditions. In other words, the monitors track the adaptation process and 
continually evaluate the difference between the current state abstraction pro- 
vided by the learning device (DCS neural network in our case study) and its 
desired goal. 

Adaptive systems axe associated with uncertainty, many degrees of freedom 
and high noise-level in real flight conditions. Due to their complexity, we may 
not always be able to check to see if each dimension of the input data is ef- 
fectively abstracted and represented by the neural network. Lyapunov theory 
provides the tool to collapse the multidimensional evaluation criteria into one or 
a few meaningful bounded functions. The data sets being modeled in the case 
study represent short data sequences for one out of five neural networks in the 
intelligent flight control system. We constructed four Lyapunov-like functions 
to reduce the need for checking effective learning by each dimension. Rather 
than looking onto several dozen graphs, the adequacy (stability) of learning can 
be assessed from the analysis of these four graphs, representing the Lyapunov 
functions. 

The four Lyapunov-like functions are specific for the DCS neural network 
of the Intelligent Flight Control System. Their formal description would require 
detailed presentation of the DCS learning algorithm, which is outside of the scope 
of this paper. In general terms, the DCS network is a so called self-organizing 
map. Self-organizing maps evolve their topology to reflect as closely as possible 
the topological characteristics of the data set being approximated. Therefore, by 



measuring euclidian distances within the evolving network and comparing them 
with actual distances in the training data set, we may derive the measure of 
the goodness of approximation. The four Lyapunov like functions were defined 
because they evaluate different aspects of DCS adaptation: the Kohonen’s rule 
and the competitive Hebbian rule [19,20]. Furthermore, we noticed that these 
four functions react with different intensities to different training data sets. Given 
that these data sets represent actual aircraft failure scenarios, selected Lyapunov- 
like functions complement each other. 

As the neural network starts to adapt to the presented failure mode data, the 
run-time monitor is engaged. It continually monitors the behavior of the neural 
network. Figure 9 shows the plots of the four Lyapunov-like monitors before a 
control surface failure (locked left stabilator, stuck at -f3 Degree) is induced into 
the system, and before it propagates into the neural network. Figure 9 shows 
no predominant spikes in the individual monitors, indicating the lack of intense 
adaptation in nominal conditions. Because the neural network does not attempt 
to change the control input to the flight control system, its output bears very 
limited overall system risk during this period. 
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Fig. 9. Online Monitors: Pre-control Surface Failure 


Figure 10 shows the plots of the four Lyapunov-like monitors after the control 
surface failure (locked left stabilator, stuck at +3 Degree) is induced into the 
system and after the failure propagates into the neural network. Figure 11 shows 
the plots of the four Lyapunov- like monitors after the loss of control surface (50% 
missing surface of right aileron) is simulated into the system and after the failure 



propagates into the neural network. The plots show a predominant spike at time 
frame 100 (the time of the failure). The spikes indicate the successful detection 
of the unusual (failed) environmental condition by monitoring the internals of 
the neural network. In the short term, the neural network undergoes a significant 
degree of adaptation. The high values of the Lyapunov-like functions indicate 
that the neural network needs additional time (and learning cycles) to faithfully 
represent its newly arrived (in real-time) input data set. During this period, the 
confidence on neural network’s output diminishes drastically, i.e., the network is 
not providing the desirable failure accommodation. But, Within the next 50 or 
so frames in Figure 10, the values of Lyapunov-like monitors approach 0, indi- 
cating that the failure has been accommodated through adaptation. The failure 
accommodation delay is longer in Figure 11, an expected indication of the se- 
vere failure condition (the loss of a control surface). At this point, a verification 
and validation engineer needs to assess the adequacy of the failure accommoda- 
tion me chanis m with respect to the overall system safety requirements, evaluate 
alternative designs, and prepare suitable V&V recommendations to the safety 
board. 
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Fig. 10. Online Monitors: Post-control Surface Failure 
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Fig. 11. Online Monitors: Post-Loss of Control Surface Failure 


6 Conclusions 

We developed a non-conventional approach for validating the performance ad- 
equacy of the neural network embedded in an online adaptive flight control 
system. The validation framework consists of 

— Online filters (novelty detectors) that check the validity of inputs and control 
outputs j and 

— Runtime stability monitors that examine the stability properties of the neu- 
ral network adaptation. 

Experimental results from the data collected on an F- 15 aircraft flight simulator 
show that: 

1. SVDD can be adopted for defining nominal performance regions for the 
given application domain. Our techniques provided successfully automated 
separation between faulty behaviors and normal system events in real-time 
operation. 

2. Based on the originally developed concept of Lyapunov-like functions applied 
for the first time to neural network learning, the online stability monitors 
have shown a successful realization of convergence tracking of adaptation 
error towards a stable (or unstable) and safe (or unsafe) state in the adaptive 
flight control system. 

We conclude that the proposed methodology provides a good approach for 
validating ' online adaptive system’s safety, stability and performance. The ob- 
served efficiency and scalability of both methods give us the expectation that 


the proposed V&V method can be successfully applied to other types of online 
adaptive learners. 
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Abstract. We present an approach to the problem of verification of 
epistemic properties in multi- agent systems by means of symbolic model 
checking. In particular, it is shown how to extend the technique of un- 
bounded model checking from a purely temporal setting to a temporal- 
epistemic one. In order to achieve this, we base our discussion on in- 
terpreted systems semantics, a popular semantics used in multi-agent 
systems literature. We give details of the technique and show how it can 
be applied to the well known train, gate and controller problem. 
Keywords: model checking, unbounded model checking, multi- agent 
systems 


1 Introduction 

Verification of reactive systems by means of model-checking techniques [3] is 
now a well-established area of research. In this paradigm one typically models 
a system S in terms of automata (or by a similar transition-based formalism), 
builds an implementation Ps of the system by means of a model-checker friendly 
language such as the input for SMV or PRO MEL A, and finally uses a model- 
checker such as SMV or SPIN to verify some temporal property <j> the system: 
Mp [= <f> y where Mp is a temporal model representing the executions of Ps - 
As it is well known, there are intrinsic difficulties with the naive approach of 
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performing this operation on an explicit representation of the states, and refine- 
ments of symbolic techniques (based on OBDD’s, and SAT [1] translations) are 
being investigated to overcome these hurdles. Formal results and corresponding 
applications now allow for the verification of complex systems that generate tens 
of thousands of states. 

The field of multi-agent systems (MAS) has also recently become interested 
in the problem of verifying complex systems. In MAS the emphasis is on the 
autonomy, and rationality of the components, or agents [22]. In this area, modal 
logics representing concepts such as knowledge, beliefs, intentions, norms, and 
the temporal evolution of these are used to specify high level properties of the 
agents. Since these modalities are given interpretations that are different from 
the ones of the standard temporal operators, it is not straightforward to ap- 
ply existing model checking tools developed for standard Linear Temporal Logic 
(LTL) (or Computation Tree Logic , CTL) temporal logic to the specification of 
MAS. One further problem is the fact that the modalities that are of interest 
are often not given a precise interpretation in terms of the computational states 
of the system, but simply interpreted on classes of Kripke models that guaran- 
tee (via frame-correspondence) that some intuitive properties of the system are 
preserved 1 . This makes it hard to use the semantics to model any actual com- 
putation performed by the system [21]. For the case of knowledge, the semantics 
of interpreted systems [8], popularized by Halpern and colleagues in the 90’s, 
can be used to give an interpretation to the modalities that maintains the tradi- 
tional S5 properties, while, at the same time, is appropriate for model checking 
[9]. Indeed, a considerable amount of literature now exists on the application 
of interpreted systems and epistemic logic to the application areas of security, 
modelling of synchronous, asynchronous systems, digital rights, etc. It is fair to 
say that this area constitutes the most thoroughly explored, and technically ad- 
vanced sub-discipline among the formal studies of multi- agent systems available 
at the moment. 


1.1 State of the art and related literature 

The recent developments in the area of model checking MAS can broadly be 
divided into streams: in the first category standard predicates are used to inter- 
pret the various intensional notions and these are paired with standard model 
checking techniques based on temporal logic. Following this line is for example 
[23] and related papers. In the other category we can place techniques that make 
a genuine attempt at extending the model checking techniques by adding other 
operators. Works along these lines include [19, 20, 12, 17, 16, 15, 14, 10]. 

In [19] local propositions are used to translate knowledge modalities on LTL 
structures. Once this process is done, the result can be fed into a SPIN model 

1 For example, in epistemic logic it is customary to use equivalence models to interpret 
a knowledge modality K so that it inherits the properties of the logical systems S5 
[2]; in particular axioms T,.4, and 5 (which are considered to be intuitively correct 
for knowledge) result valid. 
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checker. Unfortunately, in this approach local propositions need to be computed 
by the user. 

These works were preceded by [12], where van der Meyden and Shilov pre- 
sented theoretical properties of the model checking problems for epistemic lin- 
ear temporal logics for interpreted systems with perfect recall. In particular, it 
was shown that the problem of checking a language that includes “until” and 
“common knowledge” on perfect recall systems is undecidable, and decidable 
fragments were identified. 

In [17, 16, 15] an extension of standard temporal verification via model check- 
ing on obdd’s to epistemic and deontic operators is presented and studied. 

In [14, 10] an extension of the method of bounded model checking (one of the 
main SAT-based techniques) to CTLK a language comprising both CTL and 
knowledge operators, was defined, implemented, and evaluated. While prelimi- 
nary results appear largely positive, any bounded model checking algorithm is 
mostly of use when the task is either to check whether a universal CTLK for- 
mula is actually false on a model, or to check that an existential CTLK formula 
is valid. This is a severe limitation in MAS as it turns out that many of the 
most interesting properties one is interested in checking actually involve univer- 
sal formulas. For example, in a security setting one may want to check whether 
it is true that forever in the future a particular secret, perhaps a key, is mutually 
known by two participants. 


1.2 Aim of this paper 


The aim of this paper is to contribute to the line of SAT-based techniques, by 
overcoming the intrinsic limitation of any bounded model checking algorithm, 
and provide a method for model checking the full language of CTLK. The SAT- 
based method we introduce and discuss here is an extension to knowledge and 
time of a technique introduced by McMillan [11] called unbounded model checking 
(UMC). A byproduct of the work presented here is the definition of fixed point 
semantics for a logic CTL P K, which extends CTLK by past operators. 

Like any SAT-based method, UMC consists in translating the model checking 
problem of what is in this case a CTL P K formula into the problem of satisfia- 
bility of a propositional formula. UMC exploits the characterization of the basic 
modalities in terms of Quantified Boolean Formulas (QBF) , and the algorithms 
that translate QBF and fixed point equations over QBF into propositional for- 
mulas. In order to adapt UMC for checking CTL P K, we use three algorithms. 
The first one, implemented by the procedure for all [11] (based on the Davis- 
Putnam-Logemann-Loveland approach [4]) eliminates the universal quantifier 
from a QBF formula representing a CTL p K formula, and returns the result in 
conjunctive normal form (CNF). The remaining algorithms, implemented by the 
procedures gfp and Ifp calculate the greatest and the least fixed points for the 
modal formulas in use here. Ultimately, the technique allows for a CTL P K for- 
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mula a to be translated into a propositional formula [a](tu) 2 in CNF, which 
characterizes all the states of the model, where a holds. 

For the case of CTL it was shown by McMillan [11] that model checking via 
UMC can be exponentially more efficient than approaches based on BDD’s in 
two situations: 

— whenever the resulting fixed points have compact representations in CNF, 
but not via BDD’s; 

— whenever the SAT- based image computation step proves to be faster than 
the BDD-based one. 

Although we do not prove it here, we expect a similar increase in efficiency for 
model checking of CTL p K over interpreted systems. 

The rest of the paper is structured in the following manner. Section 2 in- 
troduces interpreted systems semantics, the semantics on which we ground our 
investigation. The logic CTL P K is defined in Section 3. Section 4 summarize the 
basic definitions that we need for CNF and QBF formulas, and fixes the notation 
we use throughout the paper. A fixed point characterization of CTL P K formulas 
is presented in Section 5. The main idea of symbolic model checking CTL P K is 
described in section 6, where algorithms for computing propositional formulas 
equivalent to CTL P K formulas are also given. Two examples on the use of the 
algorithms of this paper are given in Section 7. Preliminary experimental results 
are shown in Section 8, whereas conclusions are given in Section 9. 

2 Interpreted systems semantics 

Any transition- based semantics allows for the representation of temporal flows 
of time by means of the successor relation. For example, UMC for CTL uses 
plain Kripke models [11]. To work on a temporal epistemic language, we need to 
consider a semantics that allows for an automatic representation of the epistemic 
relations between computational states [21]. The mainstream semantics that 
allows to do so is the one of interpreted systems [8]. 

Interpreted systems can be succinctly defined as follows (we refer to [8] for 
more details). Assume a set of agents A — {l,...,n}, a set of local states L* 
and possible actions Acti for each agent % E A, and a set L e and Ad e of local 
states and actions for the environment. The set of possible global states for the 
system is defined as G — Li x . . . x L n x L e , where each element (Zi, . . . , l n , le) 
of G represents a computational state for the whole system (note that, as it 
will be clear below, some states in G may actually be never reached by any 
computation of the system). Further assume a set of protocols Pi : Li — * 2 Actt , 
for i = 1 , . . . ,n, representing the functioning behaviour of every agent, and a 
function P e : L e — ► 2 Acte for the environment. We can model the computation 
taking place in the system by means of a transition function t : G x Ad — * G, 

2 Note that w is a vector of propositional variables used to encode the states of the 
model. 
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where Act C Act\ x . . . x Act n x Act e is the set of joint actions. Intuitively, given 
an initial state the sets of protocols, and the transition function, we can build 
a (possibly infinite) structure that represents all the possible computations of 
the system. Many representations can be given to this structure; since in this 
paper we are only concerned with temporal epistemic properties, we shall find 
the following to be a useful one. 

Definition 1 (Models). Given a set of agents A = {l,...,n}, a temporal 
epistemic model (or simply a model,) is a pair M = (/C, V) with 1C = (G, W, T, ~x, 

* * * t)> where 

— G is the set of the global states for the system (henceforth called simply 
states ); 

— TCGxGisa total binary (successor) relation on G ; 

— W is a set of reachable global states from i 7 i.e., W = {s G G | (t, s) G T*} 3 , 

— C G x G (i e A) is an epistemic accessibility relation for each agent 

i e A defined by s s' iff li(s') — k(s), where the function li : G — » L t 

returns the local state of agent i from a global state s ; obviously is an 
equivalence relation , 

— l €W is the initial state; 

— V : G — ► 2 VVk is a valuation function for a set of propositional variables 
Wk such that true G V(s) for all s G G. V assigns to each state a set of 
propositional variables that are assumed to be true at that state. 

Note that in the definition above we include both all possible states and the 
subset of reachable states. The reason for this follows from having past modalities 
in the language (see the next section), which are defined over any possible global 
state so that a simple fixed point semantics for them can be given. Still, note 
that, if required, it is possible to restrict the range of the past modalities to 
reachable states only by insisting that the target state is itself reachable from 
the initial state. 

By |M| we denote the number of states of M, by IN = {0, 1,2,.. .} the set of 
natural numbers and by 1N+ = {1, 2, . . .} the set of positive natural numbers. 

Epistemic relations . When we consider a group of agents, we are often interested 
in situations in which everyone in the group knows a fact a. In addition to this it 
is sometimes useful to consider other kinds of group knowledge. One of these is 
the one of common knowledge. A group of agents has common knowledge about 
a if everyone knows that a, and everyone knows that everyone knows a, and 
everyone knows that everyone knows that everyone knows that a, and so on. 
For example common knowledge is achieved following information broadcasting 
with no faults. A different notion is the one of distributed knowledge (some- 
times referred to as “implicit knowledge”, or 1 "wise-man” knowledge). A fact a 
is distributed knowledge m a group of agents if it could be inferred by pooling 
together the information the agents have. We refer to [8] for an introduction to 
these concepts. 

3 T* denotes the reflexive and transitive closure of T. 
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Let r C A. Given the epistemic relations for the agents in J 1 , the union 
of r * s accessibility relations defines the epistemic relation corresponding to the 
modality of everybody knows: ^p= Uicr ~p denotes the transitive closure 
of and corresponds to the relation used to interpret the modality of common 
knowledge. Notice that from reftexivity of follows that is, in fact, the 
transitive and reflexive closure of ~f. The relation used to interpret the modal- 
ity of distributed knowledge is given by taking the intersection of the relations 
corresponding to the agents in T. 

Computations . A computation in M is a possibly infinite sequence of states 
7r = (so, si, • . -) such that (s*, $i+ 1 ) € T for each i € IN. Specifically, w^e assume 
that (sijSi+i) G T iff s i+ i = t($ i7 acti ), i.e., Si + i is the result of applying the 
transition function t to the global state s*, and a joint action acti . All the com- 
ponents of acti are prescribed by the corresponding protocols Pj for the agents 
at Si. In the following we abstract from the transition function, the actions, and 
the protocols, and simply use.T, but it should be clear that this is uniquely de- 
termined by the interpreted system under consideration. Indeed, these are given 
explicitly in the example in the last section of this paper. In interpreted systems 
terminology a computation is a part of a run; note that we do not require so 
to be an initial state. For a computation 7r = (so,si,---)> let 7r(fc) = Sfc, and 
7r k = (so, • - . , Sfc), for each k e IN. By 77(s) we denote the set of all the infinite 
computations starting at s in M. 

3 Computation Tree Logic of Knowledge with Past 
(CTL P K) 

Interpreted systems are traditionally used to give a semantics to an epistemic 
language enriched with temporal connectives based on linear time [8]. Here we 
use Computation Tree Logic (CTL) by Emerson and Clarke [7] as our basic 
temporal language and add an epistemic and past component to it. We call the 
resulting logic Computation Tree Logic of Knowledge with Past (CTL P K). 

Definition 2 (Syntax of CTL P K). LetWK be a set of propositional variables 
containing the symbol true. The set of CTL P K formulas TOIZM is defined 
inductively by using the following rules only: 

• every member p of Wk is a formula , 

• if a and ft are formulas , then so are ->a, a A (3 and aVj), 

• if a and (5 are formulas 7 then so are AXa, AGo, and A(aU/3), 

• if a is formula , then so are AYa and AHa, 

• if a is formula , then so is K*a, for i € A, 

• if a is formula , then so are Cpa } and Epa, for T C A. 

The other modalities are defined by duality as follows: 

- EFa = f -AG-a, EPa = f -iAH->a, EZa = f -AZ-a, for Z € {X,Y}, 
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— K*a = -tK^a, Dpa == ->Dp-ia, Cpa = -»Cp->a, Epa == ->Ep”»a. 

Moreover, a => 0 d ~ -.a V/?, a 0 d = (a /5) A (/3 => a), and false ^ -4;rue. 
We omit the subscript P for the epistemic modalities if T = A, i.e., P is the set 
of all the agents. As customary X, G stand for respectively “at the next step”, 
and “forever in the future” . Y, H are their past counterparts “at the previous 
step”, and “forever in the past”. The Until operator U, precisely aU0, expresses 
that 0 occurs eventually and a holds continuously until then. 


Definition 3 (Interpretation of CTL P K). Let M = (/C, V) be a model with 
JC = (G, W, T, . . . , ~ n , l), s G G a state , i r a computation , and a, 0 formulas 
of CTLpK. M, s (= a denotes that a is true at the state s in the model M. M is 
omitted , if it is implicitly understood . The relation (= is defined inductively as 
follows: 

s hP iffp£V($), 

5 f= -*a iff s ^ a, 

s |= a V 0 iff s |= a or s (= 0, 

s |= a A 0 iffs (= a and s \= 0, 

s 1= AXa iff V7T G II(s ) 7r(l) \= a, 

s |= AGa iff V7T € II(s) V m > 0 n (m) (= a, 

s |= A(aU/3) iff Vtt G I7($) (3 m > 0 [7r(m) \= 0 and V i<m i r(j) (= a]), 

s |- AYa iff Vs' G G (if (s', s) G T, then s' |= a), 

s |= AHa iff Vs' G G (i/ (s',s) G T*, then s' (= a), 

s K*a iff Vs' G IV (i/ s s', then s' |= a), 

s |= Dpa iff Vs' £W (if s ~p s', then s' |= a), 

s j= Epa iff Vs' G IV (i/ s ~p s', then s' f= a), 

s |= Cpa iff Vs' G IV (i/ $ ~p s', then s' j= a). 


Definition 4. (Validity) A CTL p K formula <p is valid in M (denoted M f= ip) 
iff M, i (= p , i.e., <p is true at the initial state of the model M. 


Notice that the past component of CTL P K does not contain the modality Since , 
which is a past counterpart of the modality Until denoted by U. Extending the 
logic by Since is possible, but complicates the semantics, so this is not discussed 
in this paper. 


4 Formulas in Conjunctive Normal Form and Quantified 
Boolean Formulas 

In this section, we shortly describe Davis-Putnam-Logemann-Loveland approach 
[4] to checking satisfiability of formulas in conjunctive normal form (CNF), and 
show how to construct a CNF formula that is unsatisfiable exactly when a propo- 
sitional formula a is valid. Having done so, we apply these two methods to com- 
pute a propositional formula equivalent to the quantified boolean formula Vu.a, 
where v is a vector of propositions. In order to do this we first give some basic 


7 


definitions. The formalism in this section is from [11] and is reported here for 
completeness. 

Let W be a finite set of propositional variables. A literal is a propositional 
variable p € W or the negation of one: e W. A clause is a disjunction 

of a set of zero or more literals l[l] V . . . V l[n). A disjunction of zero literals is 
taken to mean the constant false. A formula is in a conjunctive normal form 
(CNF) if it is a conjunction of a set of zero or more clauses c[l] A ... A c[n]. A 
conjunction of zero clauses is taken to mean the constant true. An assignment 
is a partial function from W to {true, false}. An assignment is said to be 
total when its domain is VV. A total assignment A is said to be satisfying for 
a formula a when a (A) = true, i.e., the value of a given by A is true (under 
the usual interpretation of the boolean connectives). We equate an assignment 
A with the conjunction of a set of literals, specifically the set containing ~>p for 
all p e dom(A) such that A(p) = false, and p for all p € dom(A) such that 
A{p) - true. 

For a given CNF formula a and an assignment A, an implication graph 
IG(A, a) is a maximal directed acyclic graph (F, F), where V is a set of ver- 
tices, and E is a set of edges, such that: 

— V is a set of literals, 

— every literal in A is a root, 

— for every vertex l not in A, the CNF formula a contains the clause 

d(/,A, a) — l V Vm€{i'€V:(r,0eE} _,m ’ 

— for all p e W, V does not contain both p and -<p. 

Notice that the above conditions do not uniquely define the implication graph. 
We denote by A a the assignment induced by the implication graph IG(A,a), 
i.e., A a = f\ veV u, where V is a set of vertices of IG(A, a). Observe that A a is 
an extension of A. Furthermore, a A A implies A a . 

Given two clauses of the form c[l] = p V C\ and c[ 2] = V C2, where C\ 
and C 2 are disjunctions of literals, we say that the resolvent of c[l] and c[ 2] is 
Ci V C 2 , provided that C\ V C2 contains no contradictory literals, i.e., it does 
not contain a variable p and its negation -i p. If this happens, the resolvent does 
not exist. Note that the resolvent of c[l] and c[ 2] is a clause that is implied by 
c[l]Ac[2]. 

CNF formulas satisfy useful properties to check their satisfiability. Indeed, 
notice that a CNF formula is satisfied only when each of its clauses is satisfied 
individually. Thus, given a CNF formula a and an assignment A, if a clause 
in a has all its literals assigned value false, then A cannot be extended to a 
satisfying assignment. A clause that has all its literals assigned to value false 
is called a conflicting clause. We also say that a clause is in conflict when all 
of its literals are assigned the value false under A a . If there exists a clause in 
a such that the all but one of its literals have been assigned the value false, 
then the remaining literal must be assigned the value true for this clause to 
be satisfied. In particular, in every satisfying assignment which is an extension 
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of the assignment A , the unassigned literal must be true. Such an unassigned 
literal is called' unit literal , and the clause it belongs to is called a unit clause. 

There are several algorithms for determining satisfiability of CNF formulas. 
Here, we use the algorithm proposed by Davis and Putnam and later modified 
by Davis, Logemann and Loveland [4]. The algorithm is based on the methods of 
Boolean constraint propagation (BCP) and conflict-based learning (CBL) and it 
is aimed at building a satisfying assignment for a given formula a in an incremen- 
tal manner. The BCP technique is the most important part of the algorithm; it 
determines a logical consequence of the current assignment by building an impli- 
cation graph and detecting unit clauses, and conflicting clauses. When a conflict 
is detected, as we mentioned above, the current assignment cannot be extended 
to a satisfying one. In this case, the technique of conflict-based learning is used 
to deduce a new clause that prevents similar conflicts from reoccurring. This 
new clause is called a conflict clause atnd is deduced by resolving the existing 
clauses using the implication graph as a guide. 

The following is a generic conflict-based learning procedure that takes an 
assignment A , a CNF formula a, and a conflicting clause c and produces a 
conflict clause by repeatedly applying resolution steps until either a termination 
condition T is satisfied, or no further steps are possible. We elaborate on the 
condition T below when we discuss how the procedure deduce is used by the 
procedure foralL 

procedure deduce (c, A, a) , 

while -iT and exists l G c such that ~>l £ A 
let c— resolvent of cZ(-^/,A, a) and c 
return c 

The resulting clause c is implied by a. Thus it can be added to a without 
changing its satisfiability. 

In the following we show a polynomial-time algorithm that, given a proposi- 
tional formula a, constructs a CNF formula which is unsatisfiable exactly when 
a is valid. The procedure works as follows. First, for every /? subformula of 
the formula a (including a itself) we introduce a distinct variable Ip. If (3 is a 
propositional variable, then Ip = f3. Next we assign a formula CAfT{l3) to every 
subformula (3 according to the following rules: 

• if f3 is a variable then CAf!F{( 3) = true, 

• if = ~y<j> then CAfT{(f) = CAf!F{<j>) A {Ip V 1$) A (-<4 V -i4)> 

• if /?==</> v (p then CAfF^) = GAfT{4>) A CAfT{ip) A ( Ip V -<4) A {Ip V ->4) A 
(pip v 4 v 4)> 

• if p — <p A (p then CAfiF(l3) — CAfT{<f>) A CAJ J- ((p) A {-'ip v 1$) A {-dp V 4) A 
{Ip V -<4 v “ , 4)> 

• if = cf> -> <p then CAfT{0) = CAfT{<j>) A CAfT{v) A {Ip V 1+) A {Ip V -. 4 ) A 
Hp V -*4 v W* 
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It can be shown [11] that the formula a is valid when the CNF formula CfifF(a) A 
->l a is unsatisfiable. This follows from the fact that there is a unique satisfying 
assignment A! of CM F(a) consistent with A such that A' {l a ) = a(A). 

In our method, in order to have a more succinct notation for complex op- 
erations on boolean formulas, we also use Quantified Boolean Formulas (QBF), 
an extension of propositional logic by means of quantifiers ranging over proposi- 
tions. In BNF: a p | -~*Oi \ aAa | a | Vp.a. The semantics of the quantifiers 
is defined as follows: 

• 3p.a iff a(p true) V a(p <— false), 

• Vp.a iff a(p <— true) A a (p <— false), 

where a € QBF, p e W and a(p ip) denotes substitution with the formula 
'tp of every occurrence of the variable p in formula a. 

We will use the notation Vu.a, where v = (u[l], . . . ,u[m]) is a vector of 
propositional variables, to denote Vt>[l].Vu[2] . . . Vu[m].a. 

What is important here, is that for a given QBF formula Vu.a, we can con- 
struct a CNF formula equivalent to it by using the algorithm forall [11]. 

procedure forall(v, a) , where v = (u[l], v[m)) and a is a propositio- 
nal formula 

let (p = CNF (a) A , y = true, and A = 0 
repeat 

if <p contains false, return \ 
else if some c in <p is in conflict 
add clause deduee(c, A, (p) to <p 
remove some literals from A 
else if A <p is total 

choose a blocking clause d 
remove literals of form u[t] or -*u[i] from d 
add d to <p and x 
else 

choose a literal l such that l £ A and -*l ^ A 
add l to A 


The procedure works as follows. Initially it assumes an empty assignment 
A , a formula x to be true and <p to be a CNF formula CAfF(a) A The 
algorithm aims at building a satisfying assignment for the formula <p , i.e., an 
assignment that falsifies a. The search for an appropriate assignment is based 
on the Davis-Putnam-Logemann-Loveland approach. The following three cases 
may happen: 

— A conflict is detected, i.e., there exists a clause in <p such that all of its literals 
are false in A^. So, the assignment A can not be extended to a satisfying 
one. Then, the procedure deduce is called to generate a conflict clause, which 
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is added to 0, and the algorithm backtracks, i.e., it changes the assignment 
A by withdrawing one of the previously assigned literals. 

— A conflict does not exist and A <f> is total, i.e., the satisfying assignment is 
obtained. In this case we generate a new clause which is false in the current 
assignment A<f> and whose complement characterizes a set of assignments 
falsifying the formula a. This clause is called a blocking clause and it must 
have the following properties: 

• it contains only input variables, i.e., the variables over which the input 
formula a is built, 

• it is false in the current assignment, 

• it is implied by l a A CJ\fJ 7 {a). 

A blocking clause could be generated using the conflict- based learning proce- 
dure, but we require the blocking clause to contain only input variables. To 
do this we use an implication graph, in which all the roots are input literals. 
Such a graph can be generated in the following way. Let A# be a satisfying 
assignment for 0, A! = A^ | V, i.e., A ' is the projection of A $ onto the input 
variables and let 0' = CAfT(a) Ax- It is not difficult to show that A = A<j>, 
i.e., both the graphs I G(A',0') and IG(A, 0) induce the same assignments. 
Furthermore, the variable l a is in conflict in IG(A',0'), since 0 contains the 
clause Thus, a clause deduce(l a , A f ,0 ; ) is a blocking clause providing 
that it contains only input variables, what can be ensured by a termination 
condition T . 

Next, in order to quantify universally over the variables u[l], . . . , v[m], the 
blocking clause is deprived of the variables either of the form v[i\ or the 
negation of these. This is sufficient as the blocking clause is a formula in 
CNF. Then, what remains is added to the formulas 0 and x a &d the algorithm 
continues, i.e., again finds a satisfying assignment for 0. 

— The first two cases do not apply. Then, the procedure makes a new assign- 
ment A by giving a value to a selected variable. 

On termination, when 0 becomes unsatisfiable, x * s a conjunction of the 
blocking clauses and precisely characterizes Vu.a. 

Theorem 1 . Let a be a propositional formula and v = (u[l], . . . , v[m}) be a 
vector of propositions, then the QBF formula Vv.ayis logically equivalent to the 
CNF formula forall(v , a). 

The proof of the above theorem follows from the correctness of the algorithm 
forall (see [11]). 

Example 1. We illustrate in a quite detailed way (as performed by a solver) some 
basic operations of the procedure forall. To make it simple, we explain these 
operations for a formula in CNF. So, let 0 = (-»ui) A (iq V u 4 V -1U5) A (~<U2 V 
U3) A (u 4 V vs) and assume that 0 = CAfT(a) A -»Z Q for some formula a. The aim 
of the procedure for all (v i,a) is to find a formula in CNF equivalent to Vui .a. 
We will only show how one blocking clause is generated and added to 0 and 
X • Notice that at the start of the procedure the assignment of v\ is implied as 
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this variable is the only literal in a clause of <j> and must be followed in order 
for the clause to be satisfied. Thus, we have A — {-nn}. Now, the algorithm 
decides the assignment for another unassigned variable, say A(v 2) = true. This 
implies the assignment of t; 3 , namely A(v$) = true, so that the clause (-^2 V u 3 ) 
is satisfied. Next, an assignment A{vf) — false is decided, but notice that this 
implies both vs (because of the clause (14 V V5)) and -W5 (because of the clause 
(v\ Vn 4 V-^ 5 )) - a conflict The implication graph is analysed (several algorithms 
can be applied [ 13 ]) and a learned, clause (ui V vd) is generated and added to 
the working set of clauses (i.e., (j>). Notice, that the variables V2 and V3 are not 
responsible for this conflict. The learned clause greatly reduces the number of 
assignments to be examined as the partial assignment -^4} is excluded 
from the fixture search irrespectively on valuations of the remaining variables. 
Next, the algorithm withdraws from the assignment of V4. Notice that the learned 
clause implies A(uft — true. Thus, a satisfying assignment that is found is 
A<p = {~'V\,V 2 ,V Z ,V4,V h }. 

A blocking clause (i>i V -^4) is generated and the literal v\ is removed from 
this clause. We obtain the blocking clause d = (-'V4) and d is added to (j) and x* 
The procedure keeps on going until f does not contain false. 

5 Fixed point characterization of CTL P K 

In this section we show how the set of states satisfying any CTL P K formula 
can be characterized by a fixed point of an appropriate function; We follow and 
adapt, when necessary, the definitions given in [ 3 j. 

Let M = (( G , W, T, ^1, . . ; , ~ n , t), V) be a model. Notice that the set 2 G of 
all subsets of G forms a lattice under the set inclusion ordering. Each element 
G r C Q of the lattice can also be thought of as a predicate on G, where the 
predicate is viewed as being true for exactly the states in G'. The least element 
in the lattice is the empty set, which corresponds to the predicate false, and 
the greatest element in the lattice is the set G, which corresponds to true. A 
function r mapping 2 G to 2 G is called a predicate transformer . A set G f C G is 
a fixed point of a function r : 2 ° — ► 2 G if r(G') = G'. 

Whenever r is monotonic (i.e., when P C Q implies r(P) C r(Q)), r has 
a least fixed point denoted by /iZ.r(Z), and a greatest fixed point, denoted 
by vZ.t(Z). When r is monotonic and (J-continuous (i.e., when Pi C P 2 C 
... implies t^P*) = Ui r (Fi)), then fxZ.r(Z) — r l (false). When r is 
monotonic and (^continuous (i.e., when Pi 2 ft 2 ••• implies T(f) i Pi) = 
fli r (Pi)) J then vZ.r{Z) = f\>o rl ( true ) ( see l 18 ))- 

In order to obtain fixed point characterizations of the modal operators, we 
identify each CTL P K formula a with the set (q)m °f states in M at which this for- 
mula is true, formally {<Am — {s € G j M, s fy a}. If M is clear from the context 
we omit the subscript M. Furthermore, we define functions AX, AY, K { , Er, Hr 
from 2 g to 2° as follows: 

— AX(Z) = {$ € G | for every s' € G if (s, s') € T, then s' € Z}, 

— AY(Z) = {s € G | for every s' e G if (s', s) e T, then s' € Z}, 
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- K i(Z) = {s £ G | for every s' £ G if (i, s') £ T* and s ~ s', then s' £ Z }, 

- E r (Z) — {s £ G | for every s' £ G if (t, s') £ T* and $ s', then s' £ Z}, 

- D r(Z) = {s £ G | for every s' £ G if (l, s') £ T* and s ~p s', then s' £ Z}. 

Observe that {Oa) = 0((a)), for O £ {AX, AY,K*,Er, Dp}. Then, the 
following temporal and epistemic operators may be characterized as the least 
or the greatest fixed point of an appropriate monotonic (f)-continuous or 1J - 
continuous) predicate transformer. 

- (AGa) = uZ.(a)nAX(Z), 

- (A(aU/?)> = fiZ.(P) U «a> n A X(Z)), 

- (AHa) = vZ.{a) n AY(Z), 

- {Cpoc) = uZ.Ep(Z n (a)) 

The first three equations are standard (see [6], [3] ), whereas the fourth one 
is defined analogously taking account that ~p is the transitive, and reflexive 
closure of 

6 Symbolic model checking on CTL P K 

Let M = (/C, V) with )C — (G,W,T,~ i, ..., ~ n , *,). Recall that the set of global 
states G = is the Cartesian product of the set of local states (without 

loss of generality we treat the environment as one of the agents). 

We assume Li C {0, l} ni , where n* = [log 2 (|L»|)l and let ni + . . . + n n = m, 
i.e., every local state is represented by a sequence consisting of 0’s and 1’s. 
Moreover, let Di be a set of the indexes of the bits of the local states of each 
agent i of the global states, i.e., D\ = {1, . . . ,ni}, . . . ,D n = {m — n n + l, . - - ,m}. 

Let VV be a set of fresh propositional variables such that VV H Wk = 
Fpv be a set of propositional formulas over VV, and lit : {0, 1} x VV — ► Fpy 
be a function defined as follows: lit(0,p) = -«p and lit(l,p) = p. Furthermore, 
let w = (w[l ], . . . ,w[m]), where w[i] £ VV for each i = 1, . . . , m, be a global 
state variable. We use elements of G as valuations 4 of global state variables in 
formulas of F^y. For example w[ 1] A w[ 2] evaluates to true for the valuation 
q = (1, . . . , 1), and it evaluates to false for the valuation q = (0, . . . , 0). 

Now, the idea consists in using propositional formulas of F-py to encode sets 
of states of G. For example, the formula w[l\ A ... A w[m] encodes the state 
represented by (1, . . . , 1), whereas the formula u>[l] encodes all the states, the 
first bit of which is equal to 1. 

Next, the following propositional formulas are defined: 

- I 3 {w) := 

This formula encodes the state s — (s\, , s m ) of the model, i.e., Si = 1 is 
encoded by w[i\, and Si = 0 is encoded by — 

- H(w,v) := Aiii M*] «[»]• 

This formula represents logical equivalence between global state encodings, 
representing the fact that they represent the same state. 

4 We identify 1 with true and 0 with false. 
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Zol~ 


— T(w , v) is a formula, which is true for a valuation (si , . . . , s m ) of 
(tu[l],. ■ • ,tu[m]) and a valuation of (u[l], . . . ,v[m]) iff 

€ T. 

Our aim is to translate CTL P K formulas into propositional formulas. Specifi- 
cally, for a given CTL p K formula 0 we compute a corresponding propositional 
formula [0](w), which encodes those states of the system that satisfy the for- 
mula. Operationally, we work outwards from the most nested subformulas, i.e., 
the atoms. In other words, to compute [Oa](tu), where O is a modality, we work 
under the assumption of already having computed [a](u>). To calculate the ac- 
tual translations we use either the fixed point or the QBF characterization of 
CTLpK formulas. For example, the formula [AXa] (tu) is equivalent to the QBF 
formula Vv.{T(w,v) [a](v)). We can use similar equivalences for formulas 
AYa, K*a, D^a, E^a. More specifically, we use the following three basic algo- 
rithms. The first one, implemented by the procedure forall , is used for formulas 
Oa such that O € {AX, AY, K i? Dr , E r }. This procedure eliminates the univer- 
sal quantifier from a QBF formula representing a CTL P K formula, and returns 
the result in a conjunctive normal form. The second algorithm, implemented by 
the procedure gfpo, is applied to formulas Oa such that O G {AG, AH, Cp}. 
This procedure computes the greatest fixed point. For the formulas of the form 
A(aU/3) we use a third procedure, called IfpAU* which computes the least fixed 
point. In so doing, given a formula 0 we obtain a propositional formula [0] (w) 
such that 0 is valid in the model M iff the conjunction [0}(w) is satisfiable, 

i.e., t G {/?). Below, we formalize the above discussion. 

Definition 5 (Translation for UMC). Given a CTL P K formula ip, the propo- 
sitional translation [ip] (tu) is inductively defined as follows: 

• [p]M := V s€(p) f° T P e VV K, 

• ba](tw) := ->[<*](«;), 

• [a A 0\(w) := [a](tu) A [0\{w), 

• [a V 0\(w) := [a] (to) V [P](w), 

• [AXq](u)) := forall(y, ( T(w,v ) =$>- [a](v))), 

• [AYa](u>) := forall(v, ( T(v,w ) =£- [a](u))), 

• [KiQ](u;) := forall(y, (( Hi(w,v ) A -> gfpAH{-'hiv))) [<*](«))), 

• [D r a](to) := forall(v, ((/\ ier Hi(w,v) A -> sSiahKW)) => [a](u))), 

• [E r a](u>) := forall(v,((\J ier H,(w,v) A-> 9 Jpah(tIi(v))) =*■ [a](u))), 

• [AGa](uO :=Ag(NW), 

• [A(aU/?)](u>) :=lfy A u([<x}{w),[P](w)), 

• [AHa](it7) :=gfpAH([a](w)), 

• [C r a](iy) :=gfpc r {[a}(w)). 

The algorithms gfp and Ifp are based on the standard procedures computing 
fixed points, 

procedure gfpAG([&](w)) > where a is an CTL p K formula 
let Q(w) = [true](tu) f Z(w) = [a](iw) 
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while ~i (Q(w) => Z{w)) is satisf iable 
let Q(w) = Z(w) y 

let Z(w) =forall(Vy (T(w,v) =» Z(v))) A [a](w) 
return Q(w) 

The procedure gfpAH is obtained by replacing in the above forall(v , (T(w y v) => 
Z(v))) with forall(Vy (T(v,w) Z{v))). 

procedure gfpc r ([ a ]{ w )) > where a is an CTL p K formula 

let Q(w) = [true](w) y Z(w) =forall(y 1 ((\/ i ^ r Hi(w,v) A-. gfpAH (ph(v))) => 

MO))) 

while => Z(u/)) is satisf iable 

let Q(w) = Z(tu) , 

let Z(w) ~forall(v, (\/ ier Hi{w,v) A-> gfpAiiiph 0)) =* (^0) A MO)))) 

return Q(iu) 


procedure J/?U£/([a:](u>), [/?](u>)) , where a,/3 are CTL p K formulas 
let Q(tu) = [false] (w) , Z(w) = [0\{w) 
while -*(Z(w) => Q(w)) is satisf iable 
let Q(ty) = Q(w) V Z(tu) , 
let Z(vj) =forall(Vy (T(w,v) Q(u))) A [a](tu) 

return Q(iu) 


We now have all the ingredients in place to state the main result of this 
paper: modal satisfaction of a CTL P K formula can be rephrased as propositional 
satisfaction of an appropriate conjunction. Note that the translation is sound and 
complete (details of the proof are not given here). 

Theorem 2 (UMC for CTL P K). Let M be a model and <p be a CTL p K formula . 
Then , M\= <p iff [<p](w) A I L (w) is satisfiable . 

Proof Notice that I v (w) is satisfied only by the valuation l — (ti , of 

w = (w[l], . . . , it; [to]). Thus [<p]{w) A I t (w) is satisfiable iff [<p]{w) is true for the 
valuation i of w. On the other hand for a model M, M |= (p iff M, i [= </?, i.e., 
i E ((f). Hence, we have to prove that t E ((f) iff [(^](u/) is true for the valuation 
l of tt/. The proof is by induction on the complexity of g>. The theorem follows 
directly for the propositional variables. Next, assume that the hypothesis holds 
for all the proper sub-formulas of <p. If (p is equal to either ->a, a A /?, or a V /3, 
then it is easy to check that the theorem holds. 

For the modal formulas, let P be a set of states and ap(w) a propositional 
formula such that ap(w) is true for the valuation s = (si,...,s m ) of w — 
(u>[l], . . . , w[m]) iff s E P. Note that given any P, ap is well defined: since the 
set G of all states is finite, and one can take V 5 <=p &s O'p(iu). Consider <p 
to be of the following forms: 


15 



• <p = AYa. We will prove that i e (AY a) iff the formula [AYa](m) is true for 
the valuation z of w. 

First we prove that: 

(*) s G AY(P) iff the formula Vv.(T(v, w) => ap(v)) is true for the valuation 
s of w. 

s G AY (P) iff 5 € {s' G G\ for every 5" € G if (s",s') G T, then 5" € P}. 
On the one hand, (s", s') G T iff T(v 7 w) is true for the valuation $' of w and 
the valuation s" of u. Moreover, s" G P iff the formula ap(u) is true for the 
valuation s" of v. Thus s G AY(P) iff the formula T(v 7 w) => otp(v) is true 
for the valuation s of w and every valuation s" of v. Hence, s G AY(P) iff 
the QBF formula \fv.(T(v 7 w) ^ ap(u)) is true for the valuation s of w. 
Therefore, 1 G (AYa) iff 1 G AY((a)) iff (by the inductive assumption and 
(*)) the formula ( yv.{T(v : w ) =>■ [a](u))) is true for the valuation t of w iff 
(by Theorem 1) the propositional formula forall(v 7 T(v 7 w) => [a](u)) is true 
for the valuation t of w iff [AYa] (m) is true for the valuation t of w. 

• p = AXa. The proof is analogous to the former case. 

• ip = AHa We will show that 1 G { AHa) iff formula [AHa] (w) is true for the 
valuation 1 of w. 

First we prove that: 

(*) s G uZ.PnAY(Z) iff the formula gfpAH{^p{w)) is true for the valuation 
s of w. 

Let t(Z) — P n AY (Z), then s G vZ.r{Z) iff s G flix) 7 " 1 ^) (^ 5 G 
n i> 0 T'(tTue)). Thus, s G i/Z.t(Z) iff s G r x (G) for the least i such that 
r x (G) C t x+1 (G) since for every i > 0 we have r l+1 (G) C r x (G). On the other 
hand, s G r(Z) iff formula ap(w) AVv.(T(v, w ) &z{v)) is true for the val- 

uation s of w iff (by Theorem 1) formula ap(w)Aforall(y 7 T(u, w) => qlz{v)) 
is true for the valuation s of w. 

Let Z°(w) = otp(w) and Z l (w) = ap(w) A forall(v 7 (T(v 7 w) Z 1 ' 1 ^))) 
for i > 0. Notice that s G r x (G) iff Z l (w) is true for the valuation s 
of w. Moreover, Qi{w) = Z x_1 (u>) and Zi(w) = Z x {yo) are invariants of 
the while-loop of the procedure gfpAH(o^p(w)). Hence on the termination, 
when Qi 0 (w) => Z l 0 (w), where zo is the least z such that Qi(w) Zi(w ) 7 
gJpAff (cxp(w)) ~ (w) is a formula that is true for the valuation s of w iff 

s G vZ.r{Z). 

Therefore, t G (AHa) iff t G vZ.(a)f\ AY(Z) iff (by the inductive assumption 
and (*)) the propositional formula gfpAH ( 1 &\( W )) is true for the valuation l 
of w iff propositional formula [AHa](zo) is true for the valuation 1 of w. 

• p = AGa | C r ct | A(aU/3). The proof is analogous to the former case, 

• <p — K ia. In order to show that 1 G (Kja) iff formula [Kia](w) is true for 
the valuation t of w, first we prove that: 

(*) s G K*(P) iff the formula Vv~(-'gfpAH(-'Ii(v)) A Hi(w 7 v) ap(v)) is 
true for the valuation s of tu. 

To this aim we prove the following two facts: 

(**) (z,s") G T* iff -^gfPAH{-'L(v)) is true for the valuation s " of v . 
Observe that s" G G\{z} iff ~^I L (v) is true for the valuation s" of v. On the 
other hand (t, s") <£ T* iff s" G vZ\G\{l}) H AY (Z). Hence (t,s") G T * iff 
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s" vZ.{G\{i }) Pi AY (Z) iff gfpAH is false for the valuation s" of v 
iff gfPAH )) is true for the valuation s" of v. 

(***) s' s" iff Hi(w, v) is true for the valuation s' of w and the valuation 
s" of v. 

s' ~i s" iff li(s') = li(s") iff f\ j€D . s' = s'! iff formula f\j €D . w[j] «[?] is 
true for the valuation s' of w and the valuation s" of v iff Hi(w>v) is true 
for the valuation s' of w and the valuation s" of v . 

Thus by (**) and (***), s £ K i(P) iff for the valuation s of w and every 
valuation s" of v formula -^gJpAH^Itiv)) A Hi(w,v) =4> ap(v) is true iff 
the QBF formula Vv,(^gfp A H(^I L (v)) A H l {w,v) =>> ap(v)) is true for the 
valuation s of w. 

Therefore, t £ (K iOt) iff t £ K*({a)) iff (by the inductive assumption and 
(*)) the formula yv.(-^gfp A H(-^I t (v)) A Hi(w,v) => [a](u)) is true for the 
valuation t of w iff (by Theorem 1 ) the propositional formula 
forall(v , Af7i(w, v) [a](tO)) is true for the valuation i of 

w iff [K ia}(w) is true for the valuation i of w. 

• ip = Dpa | E pa. The proof is analogous to the former case. 

6.1 Optimizations of algorithms 

In our implementation we apply some optimizations to the fixed point computing 
algorithms described above. Precisely, we compute [AGa](u/) and [AHa](w) by 
using the following frontier set simplification method [11]. Define the formula 
(Vu.a) | <5, representing some propositional formula such that 5 A (Vu.o;) l S is 
equivalent to 5 A Vu.a. The formula (Vu.a) | 5 is computed using the procedure 
forall with a slight .modification. Next, we compute [AGa](tu) as the conjunction 
of the following sequence: Zi(w) = [a](w), Z iA .i{w) = (Vu.(T(it;, v) => Zi(v))) | 
K j=1 Zj{w), The sequence converges when forall (v^(T(w y v) => 

Zi(v))), in which case Zi+i(w) is the constant true. The procedure fssm A o for 
computing [AGu](iy) is as follows. 

procedure /ssm^G(M(^))> where a is an CTL p K formula 
let Z(w) — Q(w) = [a](m) 
while Z(w) 7 ^ true 

let Z(w) = (Vv.(T(w,v) => Z(v))) l Q(w) 
let Q(w) — Q(w) A Z(w) 
return Q(w) 

The procedure fssm A p for computing [AHa](m) is obtained by replacing in the 
above v) => Z(v))) J, Q{w) with (Vu.(T(u,u;) Z(v))) [ Q{w). Simi- 

lar procedure can be obtained for computing formulas [Cra](w). 

7 Example of Train, Gate and Controller 

In this section we exemplify the procedure above by discussing the scenario of 
the train controller system (adapted from [20]). The system consists of three 
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agents: two trains (agents 1 and 3), and a controller (agent 2). The trains, one 
Eastbound, the other Westbound, occupy a circular track. At one point, both 
tracks pass through a narrow tunnel There is no room for both trains to be in 
the tunnel at the same time. Therefore the trains must avoid this to happen. 
There are traffic lights on both sides of the tunnel, which can be either red or 
green. Both trains are equipped with a signaller, that they use to send a signal 
when they approach the tunnel. The controller can receive signals from both 
trains, and controls the colour of the traffic lights. The task of the controller is 
to ensure that the trains are never both in the tunnel at the same time. The 
trains follow the traffic lights signals diligently, i.e., they stop on red. 



Fig. 1. The local transition structures for the two trains and the controller 


We can model the example above with an interpreted system as follows. The 
local states for the agents are: 

• Ltrain-i = {awayi , waiti, tunneli}, 

• ^controller ^ {red, gVCCTl 

• Ltraini = {away 2 , wait 2 , tunne/ 2 }* 

The set of global states is defined as G = L tr aim x L controller x Ltrainz* Let 
l = [awayi, green, away 2 ) be the initial state. We assume that the local states 
are numbered in the following way: awayi := 1, waiti “ 2, tunneli := 3, 
red; = 4, green := 5, away 2 := 6, wait 2 7, tunned := 8 and the agents are 
numbered as follows: traini := 1, controller := 2, train 2 := 3. Thus we assume 
a set of agents A to be the set {1, 2, 3}. 

Let Act = {ai, ..., 06 } be a set of joint actions. For a Act we define the 
preconditions pre(a), postconditions post(a ), and the set agent[ a) containing 
the numbers of the agents that may change local states by executing a. 

• pre(oi) = {1}, post(ai) = {2}, agent(a x ) = {!}, 


18 




• pre{a 2 ) = {2,5 },post(a 2 ) = {3,4}, agent(a 2 ) = {1, 2}, 

• pre(a 3 ) = {3, 4},post(a 3 ) = {1,5}, apent(a 3 ) = {1,2}, 

• pre(a 4 ) = {6},post(a 4 ) = {7}, agent{a±) = {3}, 

• pre(a 5 ) = {5, 7},post(a 5 ) = {4,8}, apent(a 5 ) = {2,3}, 

• pre(a 6 ) = {4, S},post(a 6 ) = {5,6}, a^ent(a 6 ) = {2,3}. 

In our formulas we use the following two propositional variables in-tunneli and 
in~tunnel 2 such that in-tunneh £ V(s) iff itrami(s) = tunneli , in-tunned £ 
V(s) iff ^ram 2 (s) = tunnel 2 , for s £ (3. 

We now encode the local states in binary form in order to use them in the 
model checking technique. Given that agent train\ can be in 3 different lo- 
cal states we shall need 2 bits to encode its state; in particular we shall take: 
(0, 0) = away i , (1, 0) = waiti , (0, 1) = tunnel\. Similarly for the agent train 2 \ 
(0,0) = away 2 , (1,0) = wait 2 , (0,1) = tunnel 2 . The modelling of the lo- 
cal states of the controller requires only one bit: (0) = green , (1) = red. In 
view of this a global state is modelled by 5 bits. For instance the initial state 
l — (awayi, green, away 2 ) is represented as a tuple of 5 0’s. Notice that the first 
two bits of a global state encode the local state of agent 1, the third bit encodes 
the local state of agent 2, and two remaining bits encode the local state of agent 
3. We represent this by taking: D 1 = {1,2}, D 2 = {3}, D 3 = {4,5}. 

Let w = (tu[l], ...,tu[5]), v = (u[l], ...,u[5]) be two global state variables. We 
define the following propositional formulas over w and v: 

• I L {w) := A i€ DiUD 2 ur> 3 

this formula encodes the initial state, 

• Hi(w, v) := J\ jeD . w[j] v\j], 

the formula where i £ A, represents logical equivalence between 

local states of agent i at two global states represented by variables w and v, 

• pi(w) := ->w[ 1] A -itu[2], p 2 (w) :— ru[l] A -<iu[2], p 3 (w) := ->u;[l] A zu[2], 
p 4 (zn) :— m[3], Ps(m) := ->ty[3], pe(tu) := ^m[4] A-nn[5], P 7 (tn) := m[4] A~vu;[5], 
p 8 (u;) :— — >tu[4] Atu[5], 

the formula Pj(ty), for j = 1,...,8, encodes a particular local state of an 
agent. 

For a £ Act, let B a := Uie>i\a 9 ent(a) A be the set of the labels of the bits that 
are not changed by the action a, tnen 

• T{w,v) := \/ aeAct (A jepre{a) Pj(w)A/\ jepostM p j (v)Af\ jeBa (w[j]<^v{j}))v 

(f\a.£Act V jepre(a) (~'Pj{ w )) ^ /\jeD 1 UD 2 UD 3 (Mil v[j]))- 
Intuitively, T(w,v) encodes the set of all couples of global states s and s' 
represented by variables w and v respectively, such that s' is reachable from 
s, i.e., either there exists a joint action which is available at s and s' is the 
result of execution a at $ or there is not such an action and s' equals s. Notice 
that the above formula is composed of two parts. The first one encodes the 
transition relation of the system whereas the second one adds self-loops to 
all the states without successors. This is necessary in order to satisfy the 
assumption that T is total. 
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Consider now the following formulas: 


• a 0 = ->AX(-tm_tunneZi), 

• ai = AG (iri-tunneli => Kt ra i ni (-«m_ tunneh))*, 

• a 2 = AG(~fin^.tunneli (^K traini in-tunnel 2 A -JK t ra mi (*^in_tunneZ 2 )))> 

where in-tunnel\ (respectively in-tunnel 2 ) is a proposition true whenever the 
local state of train\ is equal to tunneli (respectively the local state of train 2 is 
equal to tunnel 2 ). 

The first formula states that agent train! may at the next step be in the 
tunnel. The second formula expresses that when the agent traini is in the tunnel, 
it knows that agent trains is not in the tunnel. The third formula expresses that 
when agent traini is away from the tunnel, it does not know whether or not 
agent train 2 is in the tunnel. 

As discussed above, the translation of propositions in-tunnel\ and in-tunnel 2 
is as follows: 

• [in-tunnel^\{w) — -iiy[l] A w[ 2], 

• \in-tunnel^[{w) — 4] A w[5\. 

Next, we show how to translate the formula ao: 

[ao](tu) = [-• AX(^in-tunneli)](w ) = ^[AX(^in~tunneli)](w). 

The formula [AX tunnel i)](w) is computed as follows: 
[AX(^in-tunneli)){w) = forall(v,T(w,v) =» [~^in-tunneli]{v)) = 
forall(v,T(w,v) (“i(-nv[l] A u[2]))) = forall(v,T(w,v) (v\l] V-<u[2])). 
Consequently [ao](ttf) = -^forall(v ) T(w,v) (t/[l] V-iv[2])) and [ao] (w) A I L (u>) 
= -iforall(v,T(w,v) => (u[l]V->u[2])) AJ t (zn) = ({w[l\ A->w[2] A-<u;[3]) V(->u;[l] A 
w{2] A -*w[ 3] A ->tu[5]) V (->u?[l] A w[2] A w{2] A ->u;[4]) V (— »xu[l] A w[2] A ~^u;[3] A 
-*w[4] V iu[5])) A I L (w) = false. Therefore ao is not vahd in the model. 

But, both the formulas ai and a 2 valid in the model since 
[ai](tu) A I L (w)~true A I L (w)= —>tc;[ 1] A ->n/[2] A ->w[3] A -*w[ 4] A ->u;[5] and 
[a 2 ] (w) A I L (w) = (-'W [1] V -m> [2] ) A 7 t (w) = — «ti; [1] A -w [2] A -«tu [3] A w [4] A -ad [5] . 
This corresponds to our intuition. 

8 Preliminary Experimental Results 

In this section we describe an implementation of the UMC algorithm and present 
some preliminary experimental results for selected benchmark examples. 

Our tool, unbounded model checking for interpreted systems, is a new module 
of the verification environment VerICS [5]. The tool takes as input an interpreted 
system and a CTL P K formula <p and produces a set of states (encoded symbol- 
ically), in which the formula holds. The implementation consists of two main 
parts: the translation module and the forall module. According to the detailed 
description in former sections, each subformula ip of ip is encoded (by the trans- 
lation module) by a QBF formula which characterizes all the states at which 
ip holds. In case of checking a modal formula, the corresponding QBF formula 
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is then evaluated by the forall module, which is implemented on the top of the 
SAT solver Zchaff [13]. The whole tool is written in C++ making intensive use 
of STL libraries. 

The tests presented below have been performed on a workstation equipped 
with the AMD Athlon XP+ 2400 MHz processor and 2 GB RAM running under 
Linux Redhat. For each of the results we present the time (in seconds) used by 
VerICS and Zchaff, and give RAM (in kB) consumed during the computation. 


8.1 Train, Gate and Controller - example parameterized 

The first example we have tested is the train, gate and controller system pre- 
sented in Section 7. In order to show how the algorithm copes with the com- 
binatorial explosion, this example is parameterized with the number of trains 
N. For a given N £ {2, 4, 6}, we have generalized the property 02 of Section 
7 to N trains: c* 2 (iV) = KG {-^in -tunnel \ =$■ (^Kt raini [\ i=z 2 N ^in -tunnel i A 
' 'Ktraini V-j— 2..N tunneli)} - 

The results (time and memory consumption) are presented in the Table 1. 
SAT-time denotes the amount of time necessary to determine by means of un- 
modified Zchaff whether the obtained set of states contains an initial state (this 
is a SAT problem). 


a 2 {N ) | 

N 1 

CNF clauses 

UMC-mem 

UMC-time 

SAT-time 

2 

557 

2260 kB 

0.12 s 

0.01 s 

4 

5214 

8376 Mb 

1.51 s 

0.01 s 

6 

58489 

64 MB 

46.55 s 

0.01 s 


Table 1 . Experimental results for Train-Gate-Controller 


8.2 Attacking Generals 

The second analyzed example is a scenario of the coordinated attack problem, 
often discussed in the area of MAS, distributed computing as well as epistemic 
logic. It concerns coordination of agents in the presence of unreliable communi- 
cation. It is also known as the coordinated attack problem [8]. 

For the purpose of this paper, we choose a particular joint protocol for the 
scenario and verify the truth and falsehood of particular formulas that capture 
its key characteristics. The variant we analyse is the following (for more detailed 
protocol description we refer to [10]) : 

After having studied the opportunity of doing so, general A may issue a 
request-to-attack order to general B. A will then wait to receive an ac- 
knowledgment from B, and will attack immediately after having received 
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it. General B will not issue request-to-attack orders himself, but if his 
assistance is requested, he will acknowledge the request, and will attack 
after a suitable time for his messenger to reach A ( assuming no delays) 
has elapsed. A joint attack guarantees success, and any non-coordinated 
attack causes defeat of the army involved (Fig. 2). 

Figure 2 presents three scenarios for the agents involved in the coordinated 
attack problem. The rounded boxes represent locations (local states), while the 
arrows denote transitions between locations. The beginning location for each 
agent is in bold. The transitions sharing labels are executed simultaneously (i.e., 
synchronize). The local states for the agents are listed below: 

® Lgcticto^Ia — {"wait a , order a , ackA , win a )■ , 

• ^General B — {waits, orders, readys, wins, fails}, 

• -f ' Environment ~ {waits, Orders, acks, CCk-loSts}- 

In our formulas we use the following propositional variables: attack a and attacks 
meaning that corresponding General has made the decision of attacking the 
enemy, success a and success b meaning the victory of each General and finally 
fails which denotes the defeat of General B (and both Generals). For s € G: 

• attack A G V(s) iff lGenerai A (s) G {win A ,ack A } 

• success A G V(s) iff lGeneral A (s ) G {win A } 

• attacks G V(s) iff lGenerai B ( s ) € {orders , wins, readys, fails} 

• successs G V(s) iff lGeneral B ( s ) ^ {^b} 

• fails £ ^00 Iff ^General B {^) C {/az£jg} 

Below we present some properties we test for the coordinated model problem. 
Results of the tests are listed for each property in the same way as in the previous 
example. 

• Pi = AG (attacks => KA^BoMackA) 

• #2 = EF(C{^£} (attack a A attacks )) 

The property Pi states that if the general B decides to attack, then the general 
A knows that B knows that A will attack the enemy. The property P 2 expresses 
that there is a possibility of achieving common knowledge about the decision of 
attacking the enemy. The experimental results for this example are given in the 
Table 2. 


Property 

CNF clauses 

UMC- memory 

UMC-time 

SAT-time 

Pi 

917 

1488 kB 

1.08 s 

0.02 s 

■ lh 

971 

2300 kB 

1.54 s 

0.01 s 


Table 2. Experimental results for the coordinated attack problem 


22 



order-lost 


f • 1 



ack-rcv 

r > 

ack ^ 

co-attack 

r N 

win . 

wait A 

send-order ^ j 

l°*' A j 


^ J 


A 

V J 


f > 

wait B 

order-rev ^ 

r 

order B 

send-ack 

/ \ 
ready B 



t 


t J 


v 7 



sep-auack 


sep4aitack 


1 

fad .I 

B j 

1 

, 

ack £ 


ack-lostg 

1 ack-rcv 


ack-lost 

V J 


The Environment 


Fig. 2. The attacking generals scenarios 


9 Conclusions 

Verification of multi-agent systems is quickly becoming an active area of research. 
In the case of model checking, plain temporal verification is not sufficient because 
of the variety of modalities that are commonly used to specify multi-agent sys- 
tems. In this paper we have extended the state-of-the-art of the area by providing 
a model checking theory to perform unbounded model checking on a temporal 
epistemic language interpreted on interpreted systems. This surpasses the pos- 
sibilities available already with other SAT-based approaches, namely bounded 
model checking, in that it is possible to check the full CTLK language, not just 
its existential fragment. 

It should be noted that our tool provides only a preliminary implementation 
of UMC. The major problem we found was that blocking clauses are defined 
only over input variables V. This often seemed to be a too finer description 
and lead to generating exponentially many clauses (as can be seen in Table 1). 
We have found that the Alternative Implication Graph IG{A f ,fi) usually gives 
shorter blocking clauses only for simple formulas, while formulas encoding “real” 
UMC problems produce clauses over all literals of V . In future work we shall 
investigate the conjecture of K. McMillan stating that by allowing in blocking 
clauses literals corresponding not only to state vectors, but also to subformulas, 
one could obtain a dramatic improvement in performance. 
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Abstract. We present an algorithm for model checking temporal-epistemic 
properties of multi-agent systems, expressed in the formalism of inter- 
preted systems. We first introduce a technique for the translation of 
interpreted systems into boolean formulae, and then present a model- 
checking algorithm based on this translation. The algorithm is based on 
obdd’s, as they offer a compact and efficient representation for boolean 
formulae. 


1 Introduction 

Theoretical investigations in the area of multi-agent systems (MAS) have tra- 
ditionally focused on specifications . Various logics have been explored to give 
formal foundations to MAS, particularly for mental attitudes [1] of agents, such 
as knowledge, belief, desire, etc. To consider the temporal evolution of these at- 
titudes, temporal logics such as CTL and LTL [2] have been included in MAS 
formalisms, thereby producing combinations of temporal logic with, for example, 
epistemic, doxastic, and deontic logics. 

Although it is important to investigate formal tools for specifying MAS, the 
problem of verification of MAS must also be taken into account to ensure that 
systems behave as they are supposed to. Model checking is a well-established 
verification technique for distributed systems specified by means of temporal 
logics [3,2]. The problem of model checking is to verify whether a logical for- 
mula <p expressing a certain required property is true in a model M representing 
the system, that is establishing whether or not M [= </?. This approach can also 
be applied to MAS, where in this case M is a semantical model representing 
the evolutions of the MAS, and ip is a formula expressing temporal-intentional 
properties of the agents. Recent work along these lines includes [4], in which 
Wooldridge et al. present the MABLE language for the specification of MAS. In 
this work, modalities are translated as nested data structures (in the spirit of [5]). 
Sordini et al. [6] use a modified version of the AgentSpeak(L) language [7] to 
specify agents and to exploit existing model checkers. For verification purposes, 
both the works of Wooldridge et al. and of Bordini et al. translate the MAS 
specification into a SPIN specification [8] to perform the verification. The works 


of van der Meyden and Shilov [9], and van der Meyden and Su [10], are concerned 
with verification of interpreted systems. They consider the verification of a par- 
ticular class of interpreted systems, namely the class of synchronous distributed 
systems with perfect recall. An algorithm for model checking is introduced in the 
first paper using automata, and [10] suggests the use of OBDD’s for this approach. 

The aim of this paper is to present an algorithm for model checking epistemic 
and temporal properties of interpreted systems [11]. This differs from previous 
work by treating all the modalities explicitly in the verification process. We 
focus on temporal-epistemic model checking because the verification of epistemic 
properties (and their temporal evolution) is crucial in many scenarios, including 
communication protocols and security protocols. 

Interpreted systems are a formalism for representing epistemic properties 
of MAS and their evolution with time. The algorithm that we present does 
not involve the translation into existing model checkers, it is fully symbolic , 
and it is based on boolean functions. Boolean functions can be represented and 
manipulated efficiently by means of OBDD’s, as it has been shown for CTL model 
checking [12]. 

The rest of the paper is organised as follows: in Section 2 we briefly review 
OBDD’s-based model checking and the formalism of interpreted systems. In Sec- 
tion 3.1 we present the translation of interpreted systems into boolean formulae, 
while in Section 3.2 we introduce an algorithm based on this translation. We 
provide a proof of the correctness of the algorithm in Section 3.3. We conclude 
in Section 4. 

2 Preliminaries 

2.1 CTL model checking and OBDD’s 

Given a model M and a formula <p in some logic, the problem of model checking 
involves establishing whether or not M (= tp holds. Tools have been built to 
perform this task automatically, where M is a model of some temporal logic [3, 
2,8]. SMV [12] and SPIN [8] are two well-known model checkers; in these tools 
the model is given indirectly by means of a program P. It is not efficient to 
build explicitly the model M represented by P, because M has a size which 
is exponential in the number of variables of P (this fact is known as the state 
explosion problem ). Instead, various techniques have been developed to perform 
symbolic model checking , which is the problem, of model checking where the model 
M is not described or computed in extension. Techniques for symbolic model 
checking mostly use either automata [8], or OBDD’s [13] for the representation 
of all the parameters needed by the algorithms. For the purpose of this paper, 
we will only consider symbolic model checking of the temporal logic CTL using 
OBDD’s [14]. 

CTL is a logic used to reason about the evolution of a system represented as a 
branching path. Given a countable set of propositional variables V = {p, q, . . 
CTL formulae are defined as follows: 

<p *•= p | -tip | ip V (p | EX<p | EG<p | E{cpU(p) 



where the temporal operator X means in the next state, G means globally and U 
means until. Each temporal operator is pre- fixed by the existential quantifier E. 
Thus, for example, EG(<p) means that “there exists a path in winch tp is globally 
true”. Traditionally, other operators are added to the syntax of CTL, namely 
AX, EF, AF, AG, AU (notice the “universal” quantifier A over paths, dual of 
E). These operators can be derived from the operators introduced here [2]. The 
semantics of CTL is given via a model M = (£, R, V, I) where S = {so, Si, . . .} 

is a set of states, R Q S x S is a binary relation, V : V — * 2 s is an evaluation 

function, and I C 5 is a set of initial states. A path tt is a sequence of states 
7 r = {so, Si, . . .} such that sq € I and Vi, (si, Si+i) G R. A state s* in a path tt is 
denoted with tt*. Satisfaction in a state is defined inductively as follows: 
s\=p iff s G V(p), 

s {= EXip iff there exists a path tt such that t r* = s and tt^i J= tp 7 

s |= EG(p iff there exists a path tt such that 7T* = s and tt |= ip 

for all j > 0. 

s E(<pUip) iff there exists a path tt such that 7T* = s and a k > 0 such 
that 7 r i4 . fc \= ip and 7 r^+j (= ip for all 0 < j < k. 

OBDD’s (Ordered Binary Decision Diagrams) are an efficient representation 
for the manipulation of boolean functions. As an example, consider the boolean 
function a A (6 V c). The truth table of this function would be 8 lines long. Equiv- 
alently, one can evaluate the truth value of this function by representing the 
function as a directed graph, as exemplified on the left-hand side of Figure 1. As 
it is clear from the picture, under certain assumptions, this graph can be simpli- 
fied into the graph pictured on the right-hand side of Figure 1. This “reduced” 
representation is called the OBDD of the boolean function. 



Fig. 1. obdd representation for a A (2> V c). 


Besides offering a compact representation of boolean functions, OBDD’s of 
different functions can be composed efficiently, in [13] algorithms are provided 
for the manipulation and composition of OBDD’s. 

The idea of CTL model checking using OBDD’s is to represent states of the 
model and relations by means of boolean formulae. A CTL formula is identified 
with a set of states, i.e. the states of the model satisfying the formula. As set 



of states can be represented as a boolean formula, each CTL formula can be 
characterised by a boolean formula. Thus, the problem of model checking for 
CTL is reduced to the construction of boolean formulae. This is achieved by 
composing OBDD’s, or by computing fix-points of operators on OBDD’s; we refer 
to [2] for the details. By means of this approach large systems have been checked, 
including hardware and software components. 

2.2 Interpreted Systems 

An interpreted system is a semantic structure representing the temporal evolu- 
tion of a system of agents. Each agent i (i = {1, . . . , n}) is characterised by a set 
of local states Li and by a set of actions Acti that may be performed. Actions 
are performed in compliance with a protocol P % : Li — > 2 Acti ; notice that this 
definition allows for non- determinism. A tuple g = (Zi, . . . , l n ) 6 L\ x . . . , L n , 
where li 6 Li for each i, is called a global state and gives a snapshot of the sys- 
tem. Given a set I of initial global states , the evolution of the system is described 
by n evolution functions 1 : ti : L± x . . . x L n x Acti x ... x Act n — > Li In this 
formalism the environment in which agents “live” is usually modeled by means 
of a special agent E\ we refer to [11] for more details. 

The set I, L and the protocols Pi generate a set of runs . Formally, a run 7 r 
is a sequence of global states n = (go, 9i , • • *) such that go € I and, for each pair 
(gj, gj+i) € 7 T, there exists a set of actions a enabled by the protocols such that 
t(gj,a) = G C (Li x . . . x L n ) denotes the set of reachable global states. 

Given a set of agents A = {1, . . . ,n} with corresponding local states, pro- 
tocols, and transition functions, a countable set of propositional variables V = 
{p 5 £>---} 5 and a valuation function for the atoms V : V —> 2 G , an interpreted 
system is a tuple IS = (G, 7, II, ~i, . . . , ~ n , V). In the above G is the finite set 
of reachable global states for the system, I C G is the set of initial states, and 
II is the set of possible runs in the system. The binary relation € A, is 
defined by g g f iff U(g) = U(g r )> i-e. if the local state of agent i is the same 
in g and in g f . Some issues arise with respect to the generation of the reachable 
states in the system given a set of protocols and transition relations; since they 
do not influence this paper we do not report them here. 

Interpreted systems semantics can be used to interpret formulae of a temporal 
language enriched with epistemic operators [11]. Here we assume a temporal tree 
structure to interpret CTLK formulae [15]. The syntax of CTLK is defined in 
terms of a countable set of propositional variables V = {p, 3, • • •} and using the 
following modalities: 

cp p | -up | (p V ip | EX<p \ EGcp \ E(<pU<p) | 

The modalities AX, EF , AF, AG, AU are derived in the standard way. Further, 
given a set of agents F, two group modalities can be introduced: Er<P and 
Cpip denote, respectively, that every agent in the group knows p, and that p is 
common knowledge in the group (see [11] for details). 


1 This definition is equivalent to the definition of a single evolution function t as in [11]. 



Given an interpreted system IS, a global state g, and a formula ip, the se- 
mantics of CTLK is defined as follows: 


IS, 9 

1 =P 

iff p € V(p), 

IS, 9 

b ~'<p 

iff 9 b V>, 

IS, 9 

(= <Pl V (p 2 

iff 9 b <Pi °r 9 b V>2, 

IS, 9 

\=EXip 

iff there exists a run 7r such that 



7i i = g for some i, and 7r t +x f= y?, 

IS, 9 

1= EG(p 

iff there exists a run i r such that 



7Ti~ g for some i , and TTj \= <p for all j > i. 

IS, 9 

b E(ipUi>) 

iff there exists a run 7r such that 



7 r{ — g for some i , and a k > 0 such that TTi+h f= </> 



and 7Tj j= (p for allz < j < i -f k, 

IS, 9 

b Ki<P 

iff Vy 7 eG, g g f implies g r fy <p 

IS, 9 

b Er<P 

iff Mg' eG, g gl implies g' J= tp 

IS, 9 

b Cr<P 

iff \fy' e G, g g r implies g' fy tp 


In the definition above, i ry denotes , the global state at place j in run 7r. 
Other temporal modalities can be derived, namely AX, EF, AF, AG, AU. We 
write IS |= ip if, for every global state g G G, IS, g \= <p. We refer to [11, 15] for 
more details. 

3 A model checking algorithm for CTLK 

The main idea of this paper is to use algorithms based on OBDD’s to verify tem- 
poral and epistemic properties of multi-agent systems, in the spirit of traditional 
model checking for temporal logics. To this end, it is necessary to encode all the 
parameters needed by the algorithms by means of boolean functions, and then 
to represent boolean functions by means of OBDD’s. As this last step can be 
performed automatically using software libraries that are widely available, in 
this paper we introduce only the translation of interpreted systems into boolean 
formulae (Section 3.1). In Section 3.2 we present an algorithm based on this 
translation for the verification of CTLK formulae. 

3.1 Translating an interpreted system into boolean formulae 

The local states of an agent can be encoded by means of boolean variables (a 
boolean variable is a variable that can assume just one of the two values 0 or 
1). The number of boolean variables needed for each agent is nv(i) = \log 2 \Li\']. 
Thus, a global state can be identified by means of N = ^ nv(i) boolean variables: 

i 

g = (vi, . . . ,vn). The evaluation function V associates a set of global states 
to each propositional atom, and so it can be seen as a boolean function. The 
protocols, too, can be expressed as boolean functions (actions being represented 
with boolean variables (a\, . . . , a a*) similarly to global states). 

The definition of U in Section 2.2 can be seen as specifying a list of conditions 
Ci,i, . . . , Ci } fc under which agent i changes the value of its local state. Each Cij 
relates conditions on global state and actions with the value of “next” local state 



U ~ Ci.l V * . . V Ci'k 

We assume that the last condition c^k of U prescribes that, if none of the con- 
ditions Cij{j < k) is true, then the local state for i does not change. This 
assumption is key to keep compact the description of an interpreted system, as 
in this way only the conditions that are actually causing a change need to be 
listed. 

The algorithm presented in Section 3.2 requires the definition of a boolean 
function Rt(g,g') representing a temporal relation between g and g '. Rt(g>g f ) 
can be obtained from the evolution function U as follows. First, we introduce a 
global evolution function t: 

t = yy t\ = j\^ V ... V 

Notice that t is a boolean function involving two global states and a joint action 
a = (a i, . ,aAf). To abstract from the joint action and obtain a boolean function 
relating two global states only, we can define R t as follows: 

Rt{g y g 0 iff 3a e Act : t(g , a, </) is true and each local action a* € a is enabled by 
the protocol of agent i in the local state k(g). 

The quantification over actions above can be translated into a propositional 
formula using a disjunction (see [12,3] for a similar approach to boolean quan- 
tification) : 

Rt{g,g') = V [{t(g,a,g') AP(g,a)} 

a€Act 

where P(g> a) is a boolean formula imposing that the joint action a must be con- 
sistent with the agents’ protocols in global state g. Rt gives the desired boolean 
relation between global states. 

3.2 The algorithm 

In this section we present the algorithm SATqtlk to compute the set of global 
states in which a CTLK formula tp holds, denoted with [[<£>]]. The following are 
the parameters 'needed by the algorithm: 

— the boolean variables (ui, . . . and (ax, ... , a m) to encode global states 
and joint actions; 

— the boolean functions . . . , aj, . . . ,ajv* ) to encode the protocols of 

the agents;- 

— the function V(p) returning the set of global states in which the atomic 
proposition p holds. We assume that the global states are returned encoded 
as a boolean function of (ui, . . . ,u/v); 

— the set of initial states I, encoded as a boolean function; 

— the set of reachable states G. This can be computed as the fix-point of the 
operator r — (1(g) V 3g'(R t (g f ,g) A Q{g*)) where 1(g) is true if g is an initial 
state and Q denotes a set of global states. The fix-point of r can be computed 
by iterating r(0) by standard procedure (see [12]); 




— the boolean function R t to encode the temporal transitions; 

— n boolean functions Ri to encode the accessibility relations (these func- 
tions are easily defined using equivalence on local states of G). 

— the boolean function Rp to encode defined by Rp = A Ri- 

i€r 


The algorithm is as follows: 


SATctlkW) { 

<p is an atomic formula: return V(y>); 

<p is -xpi: return G \ SATctlk(.<Pi ); 

<p is tpi A <p 2 : return SATctlk(,‘Pi)^ 

SATctlk{<P 2); 

p is EXif i: return EXctlk{<P 1); 

<p is E(<piUip2)'- return EUctlk( i Pi,<P2)\ 
c p is EGipi: return EGctlk(Pi)', 
tp is Ki<p\\ return Kctlk{piA)\ 

<p is E r <pv return Ectlk{v\^)\ 
p> is Cr<P i- return Cctlk{<Pi,R)] 

J 

In the algorithm above, EXctlk, EGctlk , EUctlk are the standard 
procedures for CTL model checking [2] in which the temporal relation is Rt 
and, instead of temporal states, global states are considered. The procedures 
KctlkWa ) and E C tlk(p,E) and G C tlk{p,E) are presented below. 


Kctlk(<P , i) { 

X = SATctlk(~ ,( P ); 

Y = {g&G\K i (g,g') and g' € X} 
return ->Y; 

} 


Ectlk(<P, X) { 

X - SATctlk^v)', 
Y={geG\Rf{g,g') and g' G X} 
return — Y; 

} 


Gctlk^iE) { 

X = SATctlk{p)\ 

Y = G\ 

while ( X i= Y ) { 

X = Y- 

Y = {g G G\Rf {g,g') and g' G Y and g' G SATctlk (¥>)} 
} return Y; 

} 







The procedure Cctlk (^-O is based on the equivalence [11] 

C F (f = Ep(ip A Cpp) 

which implies that [[Cp^]] is the fix-point of the (monotonic) operator r(Q) = 
[[Ep(p A (Q))]]. Hence, [[<7r¥>]] can be obtained by iterating r(G). 

Notice that all the parameters can be encoded as obdd’s. Moreover, all the 
operations inside the algorithms can be performed on OBDD’s as presented in [13]. 

To check that a formula holds in a model, it is enough to check whether or 
not the result of SATqtlk is equivalent to the set of reachable states. 


3.3 Correctness of the algorithm 

The algorithm presented in Section 3.2 is sound and complete. 

Theorem 1. For every CTLK formula IS f= <p iff SATctlk (<p) = G. (Te. 
iff the set of states computed by the algorithm is the set of reachable states G). 

Proof (=>): by induction on the structure of g>. We consider here the epistemic 
operators (a proof for the temporal operators can be found in [2]). Let (p = ATi(0) 
and let IS,g |= A*(0). This means that IS,g f \= 0 for all 9* e G s.t. g g f . 
By the induction step, g f G [[0]]; also we have Ri(g,g') by definition of R{. This 
implies that g G [[AT*(0)]], i.e. g G [[<p]]. The proof for E r is similar. The proof of 
correctness for common knowledge follows from the correctness of the fix-point 
characterisation of Cp[ll]. 

(<=): straightforward, as the induction steps above are symmetrical. □ 


4 Conclusion 

Temporal logic model checking using obdd’s [12] is one of the most successful 
techniques for the verification of distributed systems. In the last decade, this 
methodology has been used for the verification of both software and hardware 
components. 

In this paper we have presented an algorithm for the verification of temporal- 
epistemic properties based on the manipulation of boolean functions. The method- 
ology presented here encodes directly a MAS (specified in the formalism of in- 
terpreted systems) by means of boolean formulae; then, the algorithm allows for 
the (fully symbolic) verification of temporal-epistemic properties. Moreover, the 
algorithm allows for the verification of two group modalities {Ep and Cp) and 
is not restricted to a particular class of interpreted systems, nor to a particular 
class of formulae. We are currently implementing the algorithm and in the future 
we aim at testing epistemic and temporal properties of various scenarios from 
the MAS literature. This will help in evaluating the efficiency of the algorithm. 
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Abstract. The aim of this paper is to show a method that is able to 
detect inconsistencies in the reasoning carried out by a deliberative agent. 
The agent is supposed to be provided with a hybrid Knowledge Base 
expressed in a language called CCR-2, based on production rules and 
hierarchies of frames, which permits the representation of non-monotonic 
reasoning, uncertain reasoning and arithmetic constraints in the rules. 
The method can give a specification of the scenarios in which the agent 
would deduce an inconsistency. We define a scenario to be a description 
of the initial agent’s state (in the agent life cycle), a deductive tree of rule 
firings, and a partially ordered set of messages and/or stimuli that the 
agent must receive from other agents and/or the environment. Moreover, 
the method will make sure that the scenarios will be valid w.r.t. the 
communication protocols in which the agent is involved. 


1 Introduction 

The purpose of this paper is to show a method to verify the consistency of the 
reasoning that a deliberative agent can perform. We assume the agent to com- 
prise a knowledge base (KB) expressed in a knowledge representation formalism 
called CCR-2. 

The CCR-2 formalism is valid to represent hybrid KBs that combine pro- 
duction rules with hierarchies of frames. This formalism allows us to represent 
non-monotonic reasoning, uncertain reasoning, and arithmetic constraints in the 
rules. 

We assume that the agent whose reasoning is checked needs to carry out a 
reasoning process for deciding its next action according to its goals. The agent’s 
knowledge can fall into three different categories: acquired knowledge , innate 
knowledge or deduced knowledge . The acquired knowledge is made up of ac- 
quired facts, that is, information coming from its perception or requested to 
other agents; the innate knowledge is made up of knowledge that the agent 
knows since the beginning of its life; and the deduced knowledge is formed by 
the facts deduced by firing rules. It is clear that, as the reasoning process evolves, 



the agent may obtain contradictory acquired facts from different sources w.r.t. 
previously acquired facts. In this case, the new knowledge would replace the 
obsolete knowledge. However, the agent should not be allowed to deduce a set 
of contradictory facts from the acquired facts and the innate facts. 

The proposed method finds scenarios in which the agent would deduce an 
inconsistency. A scenario consists of a description of the initial agent’s state (in 
the agent life cycle), a deductive tree of rule firings, and a partially ordered set of 
messages and/or stimuli (expressed as schemas) that the agent must receive from 
other agents and/or the environment to achieve the execution of the deductive 
tree. A scenario permits the execution of a deductive tree of rule firings that will 
deduce a set of semantically contradictory facts. We assume the agent’s state 
to be a set of innate facts, acquired facts (from the sources mentioned above) 
and/or deduced facts, that is, it is a Fact Base (FB). Basically, the partially 
ordered set of messages and/or stimuli schemas, included as part of a scenario, 
will represent precedence dependencies between the messages/stimuli required 
in the reasoning. This set will be checked w.r.t. the communication protocols in 
which the verified agent is involved, so as to warrant the precedence dependencies 
can be satisfied by the specification of the communication protocols. 

Some methods or tools designed to detect inconsistencies in a Knowledge 
Base System (KBS) (mostly rule-based systems) build a model of the KBS 
(Graph, Petri Net, etc.), and execute the model for each valid input, in order to 
identify possible inconsistencies during the reasoning process. This approach in 
many cases turns to be computationally very costly. Thus, we decided to adopt 
another approach in which the starting point is one of the inconsistencies that 
might be possibly deduced by the verified KBS, and the goal is to compute a de- 
scription of the scenarios in which the KBS included in the agent would deduce 
that inconsistency. This approach takes some ideas from the ATMS designed by 
de Kleer (1), since it uses the concept of label as a way to represent a description 
of a set of FBs. Other methods for verifying rule-based systems that follow a 
similar approach were proposed in (2) (3) (4) (5) (6) (7) (8). 

Section 2 explains some points related to the agent’s KB and inconsistencies 
that are verified by this method, and the hypotheses that will be assumed in the 
operation of the method. In section 3 it is described how this method specifies 
the way in which an agent deduces an inconsistency, if possible. In section 4, the 
procedure for detecting an inconsistency is explained, and in section 5, a small 
example of application is shown. We end with some conclusions about our work, 
and some future works that will be derived from this work. 

2 Scope 

Our method receives as inputs a CCR-2 KB (the agent’s KB), a classification of 
the possible facts that the agent can manage, an Integrity Constraint (IC) to be 
checked, and a set of communication protocol specifications. 

CCR-2 (also called GKR) (9) supports the represent ation of production rules 
and a high number of object types in the FB: frame classes and instances, re- 



lationships, propositions, attribute values and attribute identifiers. A rule’s an- 
tecedent in CCR-2 is a Disjunctive Normal Form (DNF) formula made up of 
literals. A literal is an atom, a negated atom or a linear arithmetic inequation 
over attribute values and/or certainty factors. An atom states something about 
some object in the FB. In CCR-2 a rule’s consequent contains a list of actions 
that can modify the state of an object, create or destroy objects while execut- 
ing the KB system included in the agent. This last characteristic allows us to 
represent some types of non monotonic reasoning. As it is possible to declare 
variables as relationships and propositions in the rules, the antecedent of a rule 
is a second order logic formula. Nevertheless, the actions of the rules can not 
change the type of a relationship or 'a proposition, therefore CCR-2 supports a 
limited representation of the second order logic. Moreover, uncertain reasoning 
can be represented in CCR-2 by associating certainty factors to attribute values, 
to tuples in a relationship or to propositions. 

The CCR-2 KBs can use two kinds of management, of the negation: closed 
world assumption (CWA) or 3-valued logic. The kind of negation management 
determines: when a fact can be considered true or false; what is the effect of the 
actions; how the facts and actions can be chained during the KBS execution; and 
which pairs of actions are contradictory. For instance, in the 3- valued logic there 
are three truth values: true, false and unknown; while a fact will be false if its 
negation appears in the FB, a fact will be unknown if neither it nor its negation 
appear in the FB; moreover, the action Add(-'p) deduces the fact ->p, and the 
pair of actions Add(p) and Add(-^p) are contradictory. It must be highlighted 
that the action Add(^p) cannot be employed under CWA. 

The rules are assumed to execute with forward chaining or backward chaining 
under conflict set resolution. The rules are structured in groups whose activation 
or inhibition is controlled by metarules. When a rule is fired, we assume the 
sequential execution of all the actions belonging to the consequent of the rule. 

We assume that two kinds of facts can appear during the agent’s execution: 
static facts and dynamic facts. A static fact is a fact whose truth value changes 
neither from true to false nor from false to true during the reasoning process, 
whereas the truth value of a dynamic fact actually may change those ways. In 
this sense, acquired facts and deduced facts will be dynamic facts. Moreover, 
facts representing innate knowledge are assumed to be static. The method needs 
to know both whether a literal is static or dynamic, and whether a literal is 
acquired, innate or deduced, so a classification must be provided. 

2.1 Defining Inconsistencies: Integrity Constraints 

An IC defines a consistency criterion over input data, output data or input and 
output data. The IC form is: 

3xi € Ti3x2 € T 2 ..3x n G T n 3{)x n +i € T n+1 3()x n +2 £ T n +2.--3x n +m € T n +m 

A =»_L 

where A is. a second order logic formula in DNF that includes conditions over 
whatever types of CCR-2 objects. Each literal in A has an associated scope, 



which specifies whether the literal is related to input data (acquired literal or 
innate literal), or output data (deducible literal). For the variables in A, two 
kinds of quantifiers can be employed: the existential quantifier (with the classical 
meaning) and the restricted existential quantifier (denoted as 3()x) . 

An IC 3x 6 T(A(x) _L) is violated if at least one object in the class T 
that is included in the FB satisfies the conditions imposed over the variable 
x in the formula A. 

An IC 3()x € T(A(x) ±) is violated if every object in the class T that 
is included in the FB satisfies the conditions imposed over the variable x 
in the formula A and only those conditions. 

This semantics for the restricted existential quantifier permits the detection 
of knowledge gaps. Lets see an example of an IC with a restricted existential 
quantifier: 

3Qx € PATIENT 

IsTll(x, FLU), (x.Fever = high) =>- _L 

Clearly, having a high fever is not enough to deduce that a patient has flu. 
So , if a KBS can violate this IC, it is likely that there is a knowledge gap in the 
KB, that is, the KBS needs more rules. 


2.2 Specifying Interaction with the Environment and other Agents 

Nowadays, different notations can be employed to specify communication proto- 
cols: AUML interaction diagrams 1 or state machines as in (10). For the purpose 
of the proposed method, state machines axe more suitable as the checking of 
the scenarios w.r.t. the protocols must be automated. Hence, a state machine 
view for the verified agent must also be supplied as an input to our method. 
Each state transition of the state machine owns a label that describes how the 
messages / stimuli that fire the transition are. This label is expressed in terms of 
message / stimulus schemas. 

In addition to the state machine, a correspondence between mess age /stimulus 
schemas and acquired literals must be supplied. If a message/ stimulus schema 
corresponds to a set of acquired literals any message/stimulus that 

matches that schema contains a model for the formula 3x 1 3£2*.-3x n (/\ i _ 1) n k) 
where Xi, £ 2 , x n are all the free variables in f\ iss j n h- This latter formula 
can be also viewed as a query. 

2.3 Assumed Non-Moxiotonic Reasoning 

CCR-2 rules can introduce new facts in the agent’s state, but they can also delete 
already existing- facts. This provides the agent’s designer with the capability of 
building agents with non-monotonic reasoning. So, we could find production 

http://www.auml.org/ 
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rules of the form p — ► Del(jp) under CWA. This kind of' rules (when p is assumed 
to be provided) are not admissible in a RB from the point of view of classical 
logic or default logic (11), since they are logical inconsistencies. However, if we 
examine these rules from the point of view of temporal logic (12), and we rewrite 
them as ~^p atnext p (where the intended meaning for the operator atnext is: ->p 
holds at the next time point that p holds), then these rules should be perfectly 
admissible in a RB. From our perspective, production rules should be interpreted 
as rules of the form ->p atnext p . If we admit rules of the form p atnext p, we 
situate ourselves quite far from the concept of inconsistency as defined in other 
works, so we are going to clarify the meaning of inconsistency in this work: 

A deductive tree T that deduces a pair of facts F and F* is consistent iff: 

(a) T does not contain a set of contradictory static facts, or 

(b) the deductive subtree of T that deduces F does not deduce F' in the 
end, and vice versa. 

This definition implies that the deductive subtree that deduces a fact F must 
not deny the other fact F f that must hold at the same time than F, and vice 
versa. 

When the agent executes a reasoning process, a deductive tree is evaluated and a 
sequence of rules is fired. A deductive tree defines a partial order for rule firings, 
so many sequences correspond to a certain deductive tree. The definition showed 
above is not more than a structural property to be fulfilled by the deductive trees 
built by the agent that we want to verify using our method. We will call this 
property TreejConsistency(dt) where dt is a deductive tree that is a tree of rule 
firings defined recursively by means of the constructor tree and the constant 
NIL-TREE (empty tree). As our method will simulate the agent’s reasoning, 
it will discard any deductive process that implies the creation of an invalid 
deductive tree. Next, we will define this property formally: 

Tree-C consistency (dt) = Tree-Consistency -Auxl(Boundary(dt)) 

A Tree-Consistency -Aux2(dt, 0) 


TreeJConsistencySuxl(B) = 

-■(3 is € INCONSISTENT-SETS is C U res Assumed-Facts(r)) 
Tree-Consistency _Aux2(dt> scope) = (dt ~ NIL-TREE)V 
3r3ai,3a2-.3a n (dt — iree(r, (ai, a 2 , a n )), 

scope-injrule = scope \ D educed -F act s(r), 

“<((3 / E scope-injrule , 3/' e Assumed-Facts(r ) , (/ = 

(3/ € D educed JF act s(r), 3f' € scope , (/ = ->}'))), 

Tree-C consistency -Aux2(a\> scope -in -rule U Assumed JFacts(r )) , 
Tree-Consistency -Aux2(a2 y scope-injrule U Assumed JFacts(r)) , 

Tree-Consistency -Aux2(a ny scope-injrule U Assumed-Facts(r))) 


where IN CON SI ST ENT SETS is the set of the different inconsistencies 
to be considered, the function Boundary(dt) returns the set of rule firings 



that are leaves of the tree dt , the function Deduced-Facts(r) returns the facts 
deduced by the rule firing r and the function Assumed-Facts(r ) returns the 
static facts that must hold to permit the rule firing r. 

In the definition above, the property TreeJJonsistency^Aux 1 specifies the 
condition (1) in the definition of consistent deductive tree above, and the prop- 
erty TreeJJonsistency^Aux2 specifies the condition (2). 



Figure 1: Example of an invalid deductive tree 


Lets see an example of an inconsistent RB. Lets take the production rules Rl: 
r,s — ► Del(p)]R2 : t — > Add(p)]R3 : ->p — ► Add(q) under CWA. In the figure 1 
we can see the deductive tree for the conjunction p A q that is supposed to be 
the antecedent of another rule. The facts p and q are deducible and all the other 
facts are non-dedudble. Obviously (see rule R3), in order to deduce g, -»p must 
be deduced beforehand, and after having deduced -ip it is not possible to deduce 
p. This example deserves an additional comment. If we assume that the rules are 
executed with forward chaining and we fire them in the sequence [Rl, R3, R2] 
then the facts p and q will be both true in the final FB. However, if the rules 
are fired in the following sequence [R2, Rl, R3] then the facts -»p and q will be 
present in the final FB. With the first sequence, the fact q was deduced first, and 
then the fact p; with the second sequence the facts were deduced the other way 
round. Our definition of inconsistency includes situations like this one, when the 
truth values of the goal facts depend on the order in which they are deduced. 

Lets see an example of a RB that is consistent according to our definition, 
but inconsistent according to other definitions. Lets take the production rules 
Rl: n,u — ► Add(q);R2: s,-»g — ► Add(q);R3: g,m,t — ► Del(p)\ RA: v — ► Del(q) 
under CWA. In the figure 2 we can see the deductive tree for the conjunction 
-ip A q that is supposed to be the antecedent of another rule. We want to deduce 
the -ip and g, and all the other facts axe non-deaucible. We can see that there 
are six different sequences of rules that correspond to the deductive tree of the 
figure 2. However, among them, only three sequences are feasible ([R4, R2, Rl, 
R3], [Rl, R3, R4, R2] and [Rl, R4, R2, R3]), and all of these three sequences 
deduce the same truth values for p and g. 





Figure 2: Example of a valid deductive tree 


According to the above definition of inconsistency, it is clear that MECORI 
will not be able to verify some non-monotonic KBS. In particular, all the KBS 
whose deductive trees do not follow the consistency definition exposed above, 
for instance, the planners of STRIPS type. 


3 Requirements for Getting an Inconsistency: Scenario 


The aim of the proposed method, as it was explained in the section 1, will be 
to compute scenarios for an inconsistency described by an IC. Each scenario 
is formed by a description of the initial agent’s state, a deductive tree of rule 
firings, and a partially ordered set of messages and/or stimuli. The proposed 
method will construct an object called subcontext to specify how the initial 
agent’s state must be and which deductive tree must be executed in order to 
yield an inconsistency. There may be different initial agent’s states and different 
deductive trees that lead to the same inconsistency. All the different ways to 
violate a certain IC will be specified by means of an object called context. Thus, 
a context will be composed of n subcontexts. In turn, a sub context is defined as 
a pair (environment, deductive tree) where an environment is made up of a set 
of metaobjects , and a deductive tree is a tree of rule firings. 

A metaobject describes the characteristics that one object which can be 
present in the agent’s state should have. For each type of CCR-2 object there will 
be a different type of metaobject: metaproposition, metaframe, metarelationship, 
metaattribute and metaid-attribute. In order to describe a CCR-2 object, a 
metaobject must include a set of constraints on the characteristics of the CCR-2 
object. Some CCR-2 objects may include references to other CCR-2 objects (for 
example, a frame instance can have references to attributes and a relationship can 
include tuples of references to frame instances), so the counterpart metaobjects 
will contain references to other metaobjects. In the table below, the attributes of 
each type of metaobject are shown. The value of these attributes will represent 
the constraints described by each metaobject. 





CCR-2 Object 

Metaobject 

Attributes of the Metaobject 

Frame 

Metaframe 

(identifier, is_restrictecLexist, instance_of, 
subclass.of, metaattributes, metarelationships) 

Attribute 

Metaattribute 

(identifier, is_restricted_exist, metaframe, 
metaid- at tributes, value-conditions, cf_conditions) 

Id-Attribute 

Metaid-attribute 

(identifier, islrestrictecLexist) 

Relationship 

Metarelationship 

(identifier, isjrestr icted_exist , 

type, tuples, conditions_for_each_tuple) 

Proposition 

Metaproposition 

(identifier, is-iestrictecLexist, 
type, truth-value, conditions) 


Given that certain constraints expressed as arithmetic inequations can affect 
the attribute values and the certainty factors associated with CCR-2 objects, 
a different kind of metaobject called condition will represent them. Conditions 
will also appear in environments, together with metaobjects, and they will be 
referenced from and contain references to the metaobjects that participate in 
them. Considering the references among metaobjects and conditions, there can 
be one or more networks of metaobjects and conditions in one environment. 
Figure 3 illustrates an example of an environment describing a FB in which the 
formula ->JTas(X, Water) A X .temperature > 80 is true, where the variable X 
is declared as an instance of the frame Car. If there exists a CCR-2 object in the 
FB, for each metaobject in the environment, that satisfies all the requirements 
imposed on it, then the given formula will hold in the FB. 


Conditio® Metarrianfcftifaip 
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Figure 3: Environment 


3.1 Temporal labels and constraints 

A goal h is a pair (/, A) where l is a literal and A is a set of metaobjects associated 
with the object names and variables in l, that specifies the FBs in which the lit- 






eral l is satisfied. Moreover, a goal (l, A) is static/dynamic/deducible/acquired/innate 
iff the literal l is static/dynamic/deducible/acquired/innate. 

For the purpose of executing a deductive tree, it may be required that a 
dynamic acquired fact / holds in a rule, and later on, that the fact holds 
in another rule. This situation may yield an apparently contradictory environ- 
ment. To determine if it is a real contradiction, temporal labels will be associated 
with some constraints included in the goals and {l\ A 1 ) that entail / and 
-»/ respectively, to represent that these constraints must be satisfied in differ- 
ent rule firings (or moments). Each temporal label associated with a constraint 
identifies the rule firing where the constraint must be satisfied, and specifies 
that the constraint comes from a dynamic acquired fact. From these labels, the 
method will specify, as part of the resulting scenario, that a message/stimulus 
that matches schema M and allows literal l to hold must be received before 
a message/stimulus that matches schema M* and allows literal V to hold is 
received, formally M < M f . Temporal constraints , like the one stated in the 
previous sentence, will define a partially ordered set of messages and/or stimuli 
schemas, in which the relationship < expresses temporal precedence. 

For each static acquired literal included in the KB, it will be required to 
produce a temporal constraint to establish that the message/stimulus (according 
to a schema) allowing the static acquired literal to hold must be received before 
the end of the deductive process. Consequently, to permit the proposed method 
to obtain the proper temporal constraints later, some temporal labels must also 
be associated with the constraints derived from static acquired literals. Besides, 
these labels must specify that the constraints have been obtained from a static 
acquired fact. 

Moreover, the method has to generate temporal constraints to establish that 
some messages/stimuli allowing static acquired literals to hold must be received 
before the mess age/ stimulus that allows a certain dynamic acquired literal to 
hold. Lets see the conditions in which these temporal constraints must be gen- 
erated. Let (R1,R2, ...,RN) be the sequence of rules that are fired as a result 
of evaluating a deductive tree according to the control mechanisms. Let Ri s.t. 

1 ^ i < N be a rule whose antecedent requires the dynamic acquired literal Ld 
to hold, and let M be a message/stimulus schema that entails Ld ; let Rj s.t. 
i < j ^ N be a rule whose antecedent requires the dynamic acquired literal 

Ld to hold, and let M 1 be a message/stimulus schema that entails ->Ld. Then, 
it is clear that any message/stimulus schema Ml that entails a static acquired 
literal Ls belonging to the antecedent of a rule Rk s.t. i ^ k < j must satisfy 
Ml < M f . The rationale for generating these temporal constraints will become 
clearer in the section 5 when an example is shown. 

4 Description of the method 

Computing the scenarios associated with an IC requires three steps: 

1. Computing the context associated with the IC without taking into account 

the control mechanisms, and considering all the rules to form a unique group. 


2 . Computing the scenarios from the context associated with the IC and the 
control mechanisms. 

3 . Discarding invalid scenarios w.r.t. the communication protocols. . 


4.1 Computing the Context associated with the IC 

Basically, the first step can be divided into two phases. In the first phase, the 
AND/OR decision tree associated with the IC is expanded following a backward 
chaining simulation of the real rule firings. The leaves of this tree are rules that 
only contain acquired facts in their antecedents. At this point, the difference be- 
tween a deductive tree and a AND/OR decision tree should be explained. While 
a deductive tree can be viewed as one way and only one way for achieving a cer- 
tain goal (that is, for deducing a bound formula or for firing a rule), an AND/OR 
decision tree comprises one or more deductive trees, therefore it specifies one or 
more ways to achieve a certain goal. During the first phase, metaobjects axe built 
and propagated from a rule to another one. In this propagation, some constraints 
are added to the metaobjects due to the rule literals and the declaration part 
of the rules/IC, and some constraints are removed from the metaobjects due to 
the rule actions. In addition to the metaobjects, a set of assumed propositions 
and tuples (SAPT) are propagated and updated. 

In the second phase, the AND/OR decision tree is contracted by means of 
context operations, and metaobjects associated with non-deducible facts and 
conditions associated with inequations are inserted in the subcontexts. Lets de- 
fine the the following contexts operations: creation of a context, concatenation 
of a pair of contexts and combination of a list of contexts. 

Contexts Operation 

a) Creation: a context with an unique subcontext is created from a non-deducible 
goal g = (Z, A) and a rule r: C(g,r) = {(E^NILJTREE)} where the environ- 
ment E comprises all the metaobjects included in g. The rule r must be a rule 
that comprises the literal l in its antecedent. If the literal l is not innate (so it 
is related to a message/stimulus), some constraints of the metaobjects must be 
labelled with a temporal label indicating that these constraints must be satisfied 
at least in the firing of the rule r; in particular, constraints that state the truth 
value of a metaproposition, and constraints that state the truth value of a tuple 
in a metarelationship. The literal l will hold in any agent’s state that satisfies 
all the constraints specified in E. 

b) Concatenation of a pair of contexts: let C\ and C2 be a pair of contexts and 
Conc(Ci , C2) be the context resulting from the concatenation, then: Conc[C \ , C2) 
~ C\ U C 2 . 

c) Combination of a list of contexts: Let Ci, C2, — > C n be the list of contexts, and 
Comb(Ci, C 2l ..., C n ) be the context resulting from the combination. The form 
of this resulting context is: Comb(Ci i C 2i C n ) ={(Ek 1 U E k 2--- U E k m DT^i * 
DT k2 ... * DT^) s.t (. E u DTi ) e Ci} 

c.l) Union of environments ( E{ U Ej): this operation consists of the union of 

the sets of metaobjects E{ and Ej . After the union of two sets, it is necessary 


to check whether any pair of metaobjects can be merged. A pair of metaob- 
jects will be merged if they contain a pair of constraints C\ and c 2 respectively 
such that ci and c 2 specify the same name. As a result of this fusion, the 
new metaobject could be invalid if it contains contradictory constraints not 
coming from dynamic acquired facts. In this case, the resulting environment 
will be invalid, and it will be discarded. Finally, if the resulting environment 
represents an invalid initial agent state, then this environment will also be 
discarded. Moreover, after the union of two environments, it is also necessary 
to check whether the resulting set of conditions can be satisfied or, in others 
words, whether the resulting set of conditions is feasible. 
c.2) Combination of deductive trees ( DTi * DTj ): let DTi and DTj be deduc- 
tive trees, then DTi* DTj is the deductive tree that results from constructing 
a new tree whose root node represents an empty rule firing, and whose two 
subtrees are DT Z and DTj. 

Basically, the creation operation is employed to work out the context associ- 
ated with a non-deducible goal; the combination operation is employed to work 
out the context associated with a conjunction of literals from the contexts as- 
sociated with the literals; and the concatenation operation is employed to work 
out the context associated with a disjunction from the contexts associated with 
the formulas involved in the disjunction. 

These two phases are explained in detail in (13). However, there are some 
differences between the current step and the process explained in (13). These 
differences are related mainly to the context operations and the treatment of 
acquired facts and deductive trees. In (13) is explained a method for verifying an 
isolated KB System, so acquired facts are not considered, and the KB System is 
assumed to deal only with innate knowledge (external facts in (13)), and deduced 
knowledge, 

4.2 Computing the Scenarios 

In the second step of the method, a different scenario is derived from each sub- 
context in the context associated with the IC by adding a partially ordered set 
of messages and/or stimuli to the subcontext. In this step, some subcontexts 
may be discarded if they are impossible w.r.t. the control mechanisms. The par- 
tial order on the message/stimulus schemas reflects the temporal constraints 
derived from the control mechanisms and the deductive tree. These temporal 
constraints are generated as it was explained in the section 3. It may happen 
that more than one message/stimulus schema entails the same literal, so this 
aspect must be taken into account in building the temporal constraints to be 
added to the partially ordered set. 

4.3 Discarding invalid Scenarios w.r.t. the Communication 
Protocols 

In the previous steps, some scenarios have been computed for an IC. However, 
it may happen that some scenario obtained in the previous step describes im- 



possible sequences of messages or stimuli w.r.t. the communication protocols. In 
order to check this, at least one path that satisfies all the temporal constraints 
must be found in the state machine. The first state of this path must be the 
state in which the agent begins its reasoning process. 

5 Example of application 

In this section we will show how the method can be applied to a small example. 
We will assume a deliberative agent that executes the sequence of rules that 
appears in the figure 4. For the sake of clarity and conciseness, the rules and the 
IC of this example are not represented in the CCR-2 format, and all the facts 
are propositional. In this example, the facts q and -»g are dynamic acquired facts 
entailed by the messages M and M r respectively, whereas the fact ->r is a static 
acquired fact entailed by the stimulus S. Moreover, the fact s belongs to the 
agent’s innate knowledge, and the facts t and p are deducible. 


M 


S 

i 


* * 

R1: q, — r ^Add(p) 
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IC: s(I), t(O) =>_!_ 


Figure 4: Example with an IC and two rules 


The method begins expanding the AND/OR decision tree. First of all, it is 
necessary to bind each variable of the IC and each referenced object to a metaob- 
ject. Some constraints are derived from each IC literal, and they are added to 
the metaobjects (in this case, metapropositions) . The resulting metapropositions 
are: 


PROP 1 = (id — f s, truth .value — ► true) 

PROP2 = (id — ► t, truth-value —+ true) 

in addition. to the metaobjects, the SAPT is created. This set contains the 
names of the propositions included in the IC and the tuples of relationships 
whose names appear in the IC that are not associated with dynamic acquired 
facts. So, initially, SAPT = {s,t} y because neither the fact s nor the fact t axe 
dynamic acquired facts. The aim of the SAPT is to warrant the consistency of 
the non- mono tonic reasoning in the sense explained in the section 2, concretely 
the second point of the consistency definition in section 2. The SAPT plays the 




role of the scope parameter in the definition of the Tree-Consistency property. 
Unluckily, the metaobjects alone cannot warrant the consistency in all the cases. 
For example, if the SAPT is not used in the example of the section 2 (see figure 
1), the inconsistency would not be detected in the simulation of the agent’s 
execution, and that deductive tree would not be discarded. 

Obtaining the context of an IC implies obtaining the context associated with 
each literal included in the IC. If it corresponds to a non-deducible goal, its con- 
text is created (see Creation Operation in section 4.1). In order to compute the 
context of a deducible goal, the method has to generate the contexts associated 
with all the rules that deduce the goal (conflict set), and then it has to concate- 
nate them (in the contraction phase). To decide whether a rule deduces a goal, 
it is needed to check whether there exists any action in the rule that is unifiable 
with the goal. In the example of the figure 4, the IC comprises an innate literal 
(input literal) and a deducible literal (output literal). So, the method finds a 
rule (R2) to deduce the deducible literal. 

In general, a CCR-2 rule premise contains a list of conjunctions joined by 
disjunction operators. Hence, to compute the context of a rule it is needed to 
calculate the context of each conjunction, and then they have to be concatenated 
(in the contraction phase). In order to compute the context of a conjunction, it 
is required to compute the context of each literal included in the conjunction. A 
pre-processing similar to that of an IC is performed over each conjunction before 
computing the contexts of the included literals. As a result of this, new metaob- 
jects and conditions appear and some constraints are added to the metaobjects. 
In the rule R2, the metapropositions PROP3(p) and PROP4(->q) are created. 

The rule R2 contains only one conjunction with two literals p and While 
p is a deducible fact, -i q is a dynamic acquired fact. In this example, the rule 
R1 can be employed to deduce the fact p. In the rule R1 , the metapropositions 
PROP5(q) and PROP6(-*r) are created. 

The SAPT propagated from the IC is updated while processing the rule R2, 
so now SAPT = {s,p}, since t is deleted by the action of the rule Rl, and -“•<? 
is a dynamic acquired fact. If the antecedent of the rule R2 had comprised the 
fact -is, a conflict would have been detected when updating the SAPT, and the 
rule R2 would have been discarded. Finally, the SAPT in the rule Rl is SAPT 
= {*}■ 

Once the AND/OR decision tree has been expanded completely, the tree is 
contracted by using £he context operations, and the constraints generated for 
the non-deducible goals (inside the metaobjects) are propagated forward from 
the leaves of the AND/OR decision tree to the IC. Thus, all these constraints 
are collected in the context associated with the IC. In the example, the contexts 
associated with the non-deducible facts s, g, t and -r q are created, and next, 
the necessary combination operations are carried out until the context associated 
with the IC is computed. Every time a context is obtained from a combination 
operation in a rule R, this rule R is added to each deductive tree of the context 
as the new root node. 



It is worth mentioning that while computing Comb{C(p ), C(-*q)) in the rule 
R2, an apparent conflict is detected between the metapropositions PROP4 and 
PROP 5, as they require different truth values for the same proposition q . How- 
ever, there is no contradiction, since the facts q and -*q are dynamic acquired 
facts, that is, the contradictory facts may hold in different moments. Hence, these 
metapropositions are merged, and the new metaproposition PR0P7 is yielded: 

PROPl — (id — » q, truth-value — + {true(Rl, dynamic), false(R2, dynamic)}) 


After applying the first step of the method, the resulting context associated 
with the IC is: C(IC)= {({PROPl, PROP6 , PROP ?}, tree(Rl , [tree(R2 } nil)J) 
)}, where these metapropositions are defined as: 

PROPl — (id — *• q, truth-value — ► {true(Kl } dynamic), false(R2 i dynamic)}) 
PROPS ~ (id — > r, truth-value — * false(Rl, static)) 

PROP 1 = (id —► s , truth-value — > trite) 

Next, in the second step, according to the control mechanism, it is determined 
that this deductive tree is evaluated by firing the sequence of rules [tfl,I£2]. 
Taking this into account, the following temporal constraints are derived from 
the metapropositions: M < M l , because the message M must be received before 
the message M r , in order to allow the fact q to hold first, and then to allow the 
fact -><? to hold later; and S < M', because the stimulus S must be received 
before the message M f , since, otherwise, the rule Rl will not be able to be fired 
before the rule R2. Thus, the partially ordered set is {M < M f ,S < M'}, and 
the scenario is (C(IC), {M < M f ,S < M'}) 

Finally, in the third step, the scenario is checked w.r.t. the agent’s state 
machine, which describes the agent behaviour. We can see a fragment of this 
state machine in the figure 5. The reasoning process is supposed to begin in the 
state qO . It is clear that there is a path that satisfies all the temporal constraints 
imposed in the scenario, so the scenario is consistent with the state machine. 
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Conclusion 


In this paper, a formal method to verify the consistency of the reasoning process 
of a deliberative agent w.r.t. communication protocols has been presented. To 
the best of our knowledge, there is no other method or tool that also addresses 
this kind of verification. It is also noteworthy that the agent to be verified encom- 
passes a hybrid KB that permits the representation of non-monotonic reasoning 
and arithmetic constraints. 

7 Future Work 

Mainly, there are two aspects of the proposed method that we want to improve: 
first, the validation of the deductive tree w.r.t. control mechanisms, more con- 
cretely, w.r.tr metarules; and second, the deletion of redundancy in the sets of 
temporal constrains by taking into account transitive dependencies and other 
aspects. 

Moreover, we are working on the adaptation of the proposed method so that 
it can be applied to verify agents whose knowledge domain is expressed in a wide 
known ontology like OWL 2 . 


2 http://www.w3.org/TR/owl-features/ 
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Abstract. Understanding and using the data and knowledge encoded in seman- 
tic web documents requires an inference engine. F-OWL is an inference engine 
for the semantic web language OWL language based on F-logic, an approach to 
defining frame-based systems in logic. F-OWL is implemented using XSB and 
Flora-2 and takes full advantage of their features. We describe how F-OWL 
computes ontology entailment and compare it with other description logic based 
approaches. We also describe TAGA, a trading agent environment that we have 
used as a test bed for F-OWL and to explore how multiagent systems can use 
semantic web concepts and technology. 


1 Introduction 

The central idea of the Semantic Web [Berners-Lee 2001] is to publish documents on 
the World Wide Web defined and linked in a way that make them both human 
readable and machine understandable. Human readable means documents in the 
traditional sense which are intended for machine display and human consumption. 
Machine understandable means that the data has explicitly been prepared for machine 
reasoning and reuse across various applications. Realizing the semantic web vision 
requires well defined languages that can model the meaning of information on the 
Web as well as applications and services to publish, discover, process and annotate 
information encoded in them. This involves aspects from many areas, including 
knowledge representation and reasoning, databases, information retrieval, digital li- 
braries, multi-agent systems, natural language processing and machine learning. The 
Web Ontology Language OWL [Patel-Schneider, 2003] is part of the growing stack of 
W3C recommendations related to the Semantic Web. OWL has its origins in 
DAML+OIL [Hendler 2000] and includes a set of three increasingly complex sub- 
languages: OWL-Lite, OWL-DL and OWL-Full. 


1 This work was partially supported by the Defense Advanced Research Projects Agency 
under contract F30602-97-1 -0215 and by the National Science Foundation under award IIS- 
0242403. 



OWL has a model-theoretic semantics that provides a formal meaning for OWL on- 
tologies and instance data expressed in them. In addition, to support OWL-Full, a 
second model-theoretic semantics has been developed as an extension to the RDFs 
semantics, grounding the meaning of OWL ontologies as RDF graphs. An OWL infer- 
ence engine’s core responsibilities are to adhere to the formal semantics in processing 
information encoded in OWL, to discover possible inconsistencies in OWL data, and 
to derive new information from known information. A simple example demonstrates 
the power of inference: Joe is visiting San Francisco and wants to find an Italian res- 
taurant in his vicinity. His wireless PDA tries to satisfy his desire by searching for a 
thing of type restaurant with a cuisineType property with the value Italian. The 
goodPizza restaurant advertises its cuisine type as Pizza. These cannot be matched as 
keywords or even using a thesaurus, since Italian and Pizza are not equivalent in all 
contexts. The restaurant ontology makes things clearer: Pizza rdfs.SubClassOf Jtal- 
ianCuisine . By using an inference engine, Joe’s PDA can successfully determine that 
the restaurant goodPizza is what he is looking for. F-OWL, an inference engine for 
OWL language, is designed to accomplish this task. 

In the next section, we outline the functional requirement of the OWL inference en- 
gine. Section three describes F-OWL, the OWL inference engine in Frame Logic that 
we have developed. Section four explained how F-OWL is used in a multi-agent test 
bed for trading agents. Chapters five and six conclude this paper with a discussion of 
the work and results and an outline of some potential future research. 


2 OWL Engine 

An inference engine is needed for the processing of the knowledge encoded in the 
semantic web language OWL. An OWL inference engine should have following fea- 
tures: 

• Checking ontology consistency. An OWL concept ontology (e.g., terms de- 
fined in the “Tbox”) imposes a set of restrictions on the model graph. The 
OWL inference Engine should check the syntax and usage of the OWL terms 
and ensure that the OWL instances (e.g., assertions in the “Abox”) meet all of 
the restrictions. 

• Computing entailments. Entailment, including satisfiability and subsumption, 
are essential inference tasks for an OWL inference engine. 

• Processing queries. OWL inference engines need powerful, yet easy-to-use, 
language to support queries, both uom human users (e g., for debugging) and 
software components (e.g., for software agents). 

• Reasoning with rules. Rules can be used to control the inference capability, to 
describe business contracts, or to express complex constrictions and relations 
not directly supported by OWL. An OWL inference engine should provide a 
convenient interface to process rules that involve OWL classes, properties and 
instance data. 

• Handling XML data types. XML data types can be used directly in OWL to 
represent primitive kinds of data types, such as integers, floating point numbers, 



strings and dates. New complex types can be defined using base types and other 
complex types. An OWL inference Engine must be able to test the satisfiability 
of conjunctions of such constructed data types. 

The OWL language is rooted in description logic (DL), a family of knowledge rep- 
resentation languages designed for encoding knowledge about concepts and concept 
hierarchies. Description Logics are generally given a semantics that make them sub- 
sets of first-order logic. Therefore, several different approaches based on those logics 
have been used to design OWL inference engines: 

• Using a specialized description logic reason er. Since OWL is rooted in de- 
scription logic, it is not surprising that DL reasoners are the most widely used 
tools for OWL reasoning. DL reasoners are used to specify the terminological hi- 
erarchy and support subsumption. It has the advantage of being decidable. Three 
well-known systems are FaCT [Horrocks, 1999], Racer [Haarslev 2001] and Pel- 
let. They implement different types of description logic. Racer system implements 
SHIQ(D) using a Tableaux algorithm. It is a complete reasoner for OWL-DL and 
supports both Tbox and Abox reasoning. The FaCT system implements SHIQ, 
but only support Tbox reasoning. Pellet implements SHIN(D) and includes a 
complete OWL-lite consistency checker supporting both Abox and Tbox queries. 

• Using full first order logic (FOL) theorem proven OWL statements can be 
easily translated into FOL, enabling one to use existing FOL automated theorem 
provers to do the inference. Examples of this approach include Hoolet (using the 
Vampire [Riazanov, 2003] theorem prover) and Sumia (using Otter theorem 
prover). In Hoolet, for example, OWL statements are translated into a collection 
of axioms which is then given to the Vampire theorem prover for reasoning. 

• Using a reasoner designed for a FOL subset. A fragment of FOL and general 
logic based inference engine can also be used to design the OWL inference en- 
gine. Horn Logic is most-widely used because of its simplicity and availability of 
tools, including Jena, Jess, Triple and F-OWL (using XSB). Other logics, like 
higher-order logic in F-OWL (using Flora), can also be used. 

As the following sections describe, F-OWL has taken the third approach. An obvi- 
ous advantage is that many systems have been developed that efficiently reason over 
expressive subsets of FOL and are easy to understand and use. 


3 F OWL 

F-OWL is a reasoning system for RDF and OWL that is implemented using the XSB 
logic programming system [Sagonas, 1994] and the Flora-2 [Kifer, 1995] [Yang 2000] 
extension that provides an F-logic frame-based representation layer. We have found 
that XSB and Flora-2 not only provide a good foundation in which to implement an 
OWL reasoner but also facilitate the integration of other reasoning mechanisms and 
applications, such as default reasoning and planners. 



XSB is a logic programming system developed at Stony Brook University. In addi- 
tion to providing all the functionality of Prolog, XSB contains several features not 
usually found in Logic Programming systems, including tabling, non-stratified nega- 
tion, higher order constructs, and a flexible preprocessing system. Tabling is useful 
for recursive query computation, allowing programs to terminate correctly in many 
cases where Prolog does not. This allows, for example, one to include “if and only if’ 
type rules directly. XSB supports for extensions of normal logic programs through 
preprocessing libraries including a sophisticated object-oriented interface called Flora- 
2. Flora-2 is itself a compiler that compiles from a dialect of Frame logic into XSB, 
taking advantage of the tabling, HiLog [Chen 1995] and well-founded semantics for 
negation features found in XSB. Flora-2 is implemented as a set of run-time libraries 
and a compiler that translates a united language of F-logic and HiLog into tabled 
Prolog code. HiLog is the default syntax that Flora-2 uses to represent function terms 
and predicates. Flora-2 is a sophisticated object-oriented knowledge base language 
and application development platform. The programming language supported by 
Flora-2 is a dialect of F-logic with numerous extensions, which include a natural way 
to do meta-programming in the style of HiLog and logical updates in the style of 
Transaction Logic. Flora-2 was designed with extensibility and flexibility in mind, and 
it provides strong support for modular software design through its unique feature of 
dynamic modules. 

F-OWL is the OWL inference engine that uses a Frame-based System to reason 
with OWL ontologies. F-OWL is accompanied by a simple OWL importer that reads 
an OWL ontology from a URI and extracts RDF triples out of the ontology. The ex- 
tracted RDF triples are converted to format appropriate for F-OWL’s frame style and 
fed into the F-OWL engine. It then uses flora rules defined in flora-2 language to 
check the consistency of the ontology and extract hidden knowledge via resolution. 

A model theory is a formal theory that relates expressions to interpretation. The 
RDF model theory [Hayes 2003] formalizes the notion of inference in RDF and pro- 
vides a basis for computing deductive closure of RDF graphs. The semantics of OWL, 
an extension of RDF semantics, defines bindings, extensions of OWL interpretations 
that map variables to elements of the domain: 

• The vocabulary V of the model is composed of a set of URTs. 

• LV is the set of literal values and XL is the mapping from the literals to LV. 

• A simple interpretation I of a vocabulary V is defined by: 

• A non-empty 7 set IR of resources, called the domain or universe of 7. 

• A mapping 75 from V into IR 

• A mapping IEXT from IR into the power set of IR X (IR union LV) i.e. the set of 
sets of pairs <x,y> with x in IR and y in IR or LV. This mapping defines the 
properties of the triples. IEXT(x) is a set of pairs which identify the arguments 
for which the property is true, i.e. a binary relational extension, called the ex- 
tension of x. 



Informally this means that every URF represents a resource that might be a page on 
the Internet but not necessarily; it might also be a physical object. A property is a 
relation; this relation is defined by an extension mapping from the property into a set. 
This set contains pairs where the first element of a pair represents the subject of a 
triple and the second element represents the object of a triple. With this system of 
extension mapping the property can be part of its own extension without causing para- 
doxes. 

Take the triple.goodPizza :cuisineType :Pizza from the pizza restaurant in the in- 
troduction as example. In the set of URI’s there will be terms (i.e., classes and prop- 
erties) like: ttgoodPizza, UcuisineType, #pizza, # Restaurant , ttitalianCuisine , etc. 
These are part of the vocabulary V. The set IR of resources include instances that 
represent resources on the internet or elsewhere, like ttgoodPizza , , etc. For example 
the class URestanrant might represent the set of all restaurants. The URI refers to a 
page on the Internet where the domain IR is defined. Then there is the mapping 1EXT 
from the property UcuisineType to the set {(jtgoodPizza, it Pizza), (ftgoodPizza, #7 tal- 
ianCuisine)} and the mapping IS from V to IR: :goodPizza ttgoodPizza , 

:cuisineTYpe ^ UcuisineType. 

A rule A ->B is satisfied by an interpretation 7 if and only if every binding that satis- 
fies the antecedent A also satisfies the consequent B. An ontology O is satisfied by an 
interpretation 7 if and only if the interpretation satisfies every rules and facts in the 
ontology. A model is satisfied if none of the statements within contradict each other. 
An ontology O is consistent if and only if it is satisfied by at least one interpretation. 
An ontology 0 2 is entailed by an ontology Oj if and only if every interpretation that 
satisfies Oi also satisfies 0 2 . 

One of the main problems in OWL reasoning is ontology entailment. Many OWL 
reasoning engines, such as Pellet and SHOQ, follow an approach suggested by Ian 
Horrocks [Horrocks 2003]. By taking advantage of the close similarly between OWL 
and description logic, the OWL entailment can be reduced to knowledge base satisfi- 
ability in the SHOIN(D) and SHIF(D). Consequently, existing mature DL reasoning 
engines such as Racer [Haarslev 2001] can provide reasoning services to OWL. Ora 
Lassila suggested a “ True RDF processor ” [Lassila 2002] in his implementation of 
Wilbur system [Lassila 2001] in which entailment is defined via the generation of a 
deductive closure from an RDF graph composed of triples. The proving of entailment 
becomes the building and searching of closure graph. 

With the support of forward/backward reasoning from XSB and frame logic from 
Flora, F-OWL takes the second approach to compute the deductive closure of a set of 
RDF or OWL statements. The closure is a graph consisting of every triples <subject, 
predicate, object> that satisfies { subject , object } => IEXT(I (predicate)). This is de- 
fined as: 


<subjectpredicate,object> =>KB <=> {subject, object} => IEXT(I (predicate)) 


2 The W3C says of URls: “Uniform Resource Identifiers (URIs, aka URLs) are short strings 
that identify resources in the web: documents, images, downloadable files, services, elec- 
tronic mailboxes, and other resources.” By convention, people understand many URIs as de- 
noting objects in the physical world. 



Where KB is the knowledge base, I(x) is the interpretation of a particular graph, and 
IEXT(x) is the binary relational extension of property as defined in [Hayes 2002], 

F-OWL is written in the Flora-2 extension to XSB and consists of the following 
major sets of rules: 

• A set of rules that reasons over the data model of RDF/RDF-S and OWL; 

• A set of rules that maps XML DataTypes into XSB terms; 

• A set of rules that performs ontology consistency checks; and 

• A set of rules that provides an interface between the upper Java API calls to the 
lower layer Flora-2/XSB rules. 

F-OWL provides command line interface, a simple graphical user interface and a 
Java API to satisfy different requirements. Using F-OWL to reason over the ontology 
typically consists of the following four steps: 

• Loading additional application-related rules into the engine; 

• Adding new RDF and OWL statements (e.g., ontologies or assertions) to the en- 
gine. The triples (subject, predicate, object) on the OWL statements are translated 
into 2-ply frame style: subject(predicate, obj ect) @model; 

• Querying the engine. The RDF and OWL rules are recursively applied to generate 
all legal triples. If a query has no variables, a True answer is returned when an in- 
terpretation of the question is found. If the question includes variable, the vari- 
ables is replaced with values from the interpretation and returned; 

• The ontology and triples can be removed if desired. Else, the XSB system saves 
the computed triples in indexed tables, making subsequent queries faster. 


4 F OWL in TAGA 

Travel Agent Game in Agentcities (TAGA) [Zou 2003] is a travel market game devel- 
oped on the foundation of FIPA technology and the Agentcities infrastructure. One of 
its goals is to explore and demonstrate how agent and semantic web technology can 
support one another and work together. 

TAGA extends and enhances the Trading Agent Competition scenario to work in 
Agentcities, an open multiagcnt systems environment of FIPA compliant systems. 
TAGA makes several contributions: auction services are added to enrich the Agent 
cities environment, the use of the semantic web languages RDF and OWL improve the 
interoperability among agents, and the OWL-S ontology is employed to support ser- 
vice registration, discovery and invocation. The FIPA and Agentcities standards for 
agent communication, infrastructure and services provide an important foundation in 
building this distributed and open market framework. TAGA is intended as a platform 
for research in multi agent systems, the semantic web and/or automated trading in 
dynamic markets as well as a self contained application for teaching and experimenta- 
tion with these technologies. It is running as a continuous open game at 



http://taga.umbc.edu/ and source code is available on Sourceforge for research and 
teaching purposes. 

The agents in TAGA use OWL in various ways in communication using the FIPA 
agent content language (ACL) and also use OWL-S as the service description lan- 
guage in FIPA’s directory facilitators. Many of the agents in the TAGA system use F- 
OWL directly to represent and reason about content presented in OWL. On receiving 
an ACL message with content encoded in OWL, a TAGA agent parses the content into 
triples, which are then loaded into the F-OWL engine for processing. 

When an agent receives an incoming ACL message, it computes the meaning of the 
message from the ACL semantics, the protocols in effect, the content language and the 
conversational context. The agent’s subsequent behavior, both internal (e.g., updating 
its knowledge base) and external (e.g., generating a response) depends on the correct 
interpretation of the message’s meaning. Thus, a sound and, if possible, complete 
understanding the semantics of the key communication components (i.e., ACL, proto- 
col, ontologies, content language, context) is extremely important. In TAGA, the 
service providers are independent and autonomous entities, which making it difficult 
to enforce a design decision that all use exactly the same ontology or protocol. For 
example, the Delta Airline service agent may have its own view of travel business and 
uses class and property terms that extend an ontology used in the industry. This situa- 
tion parallels that for the semantic web as a whole - some amount of diversity is inevi- 
table and must be panned for lest our systems become impossibly brittle. 

Many of the agents implemented in TAGA system use F-OWL to represent and 
reason about the message content presented in RDF or OWL. Upon receiving an ACL 
message with content in RDF or OWL, a TAGA agent parses the content into triples, 
which are then loaded into the FOWL engine for processing. 

The message’s meaning (communicative act, protocol, content language, ontologies 
and context) all play a part in the interpretation. For example, when an agent receives 
a query message that uses the query protocol, the agent searches its knowledge base 
for matching answers and returns an appropriate inform message. TAGA uses multiple 
models to reflect the multiple namespaces and ontologies used in the system. The 
agent treats each ontology as an independent model in the F-OWL engine. 

F-OWL has many usages in TAGA, including the following. 

• As knowledge base. Upon receiving an ACL message with content encoded in 
OWL, agents in TAGA parse the content into triples and feeds them into their F- 
OWL engine. The information can be easily retrieved by submitting queries in 
various query languages. 

• As reasoning engine. The agent can answer more questions with the help of F- 
OWL engine, for example, the restaurant can answer the question “what is the av- 
erage price of a starter” after it understands that “starter” is sameAs “appetizer”. 

• As a service matchmaker. FIPA platforms provide a directory facilitator service 
which matches service requests against descriptions of registered services. We 
have extended this model by using OWL-S as a service description language. F- 
OWL manages the service profiles and tries to find the best match based on de- 
scription in the service request. 



• As an agent interaction coordinator. The interaction protocol can be encoded 
into an ontology file using OWL language. F-OWL will advise the agents what to 
respond based on received messages and context. 

5 Discussion 

This section describes the design and implementation of F-OWL, an inference engine 
for OWL language. F-OWL uses a Frame-based System to reason with OWL ontolo- 
gies. F-OWL supports consistency checking of the knowledge base, extracts hidden 
knowledge via resolution and supports further complex reasoning by importing rules. 
Based on our experience in using F-OWL in several projects, we found it to be a fully 
functional inference engine that was relatively easy to use and able to integrate with 
multiple query languages and rule languages. 

There have been lots of works on the OWL inference engine, from semantic web 
research community and description logic community. The following table compares 
F-OWL with some of them: 


Table 1: Comparison of F-OWL and other OWL Inference Engine 
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The first thing to notice in Table 1 is that the description logic based system can only 
support reasoning over OWL-Lite and OWL-DL statements but not OWL-Full. 
OWL-Full is a full extension of RDF, which needs the supporting of terminological 
cycle. For example, a class in OWL-Full can also be an individual or property. The 
cyclic terminological definitions can be recognized and understood in horn logic or 
frame logic system. 

Table 1 shows that only three DL-based owl inference engines, which are all use a 
Tableau based algorithms [Baader 2000], are decidable and support complete consis- 
tency checking (at least in OWL-Lite). However, [Balaban 1993] argues that DL only 
forms a subset of F-Logic. The three kinds of formulae in the description logic can be 
transformed into first class objects and n-ary relationships. F-Logic is able to provide 
a full account for DL without losing any semantics and descriptive nature. We under- 
stand that our current F-OWL approach is neither decidable nor complete. However, a 
complete F-Logic based OWL-DL reasoner is feasible. 

The table also shows that F-OWL system doesn’t scale well when dealing with 
large datasets, because of the incompleteness of the reasoner. Actually, none of the 
OWL inference engines listed here scales well when dealing with the OWL test case 
wine ontology 3 which defines thousands of classes and properties and a relatively 
modest number of individuals. Further research is needed to improve the performance 
and desirability. 

Comparing with other OWL inference engines, F-OWL has several unique features: 
tabling, support for multiple logical models or reasoning, and a pragmatic orientation. 

Tabling. XSB’s tabling mechanism gives F-OWL the benefits of a forward chain- 
ing system in a backward chaining environment. The triples in a model are computed 
only when the system needs to know whether or not they are in the model. Once it is 
established that a triple is in the current model, it is added to the appropriate table, 
obviating the need to prove that it is in the model again. This mechanism can have a 
significant impact on the system’s performance. While the first few queries may take a 
long time, subsequent queries tend to be very fast. This is an interesting compromise 
between a typical forward-only reasoning system and backward-only reasoning sys- 
tems. 

Multiple logics. F-OWL supports Horn logic, frame logic and a kind of higher- 
order logic; all inherited from the underlying XSB and Flora substrates. Working 
together, these logic frameworks improve F-OWL’ s performance and capabilities. For 
example, the F-logic supports non-monotonic (default) reasoning. Another example is 
higher-order logic. The semantics of higher-order logics, in general, are difficult and 
in many cases not suitable for practical applications. XSB’s Hilog, however, is a 
simple syntactic extension of first-order logic in which variables can appear in the 
position of a predicate. In many cases, this simplifies the expression of the statements, 
rules and constraints, improving the writability and readability of F-OWL and associ- 
ated programs. 


3 The wine ontology is used as a running example in the W3C's OWL Web Ontology Language 
Guide and is available at http://www.w3.org/TR/owl-guide/wine.owl. 



Pragmatic approach. The aim of F-OWL system is to be a practical OWL rea- 
soned not necessary a complete OWL reasoner. So F-OWL system provides various 
interface to access the engine and supports multiple query and rule languages. 

In the open web environment, it is generally assumed that the data are not complete 
and not all facts are known. We will research how this fact affects the implementation 
of inference engine. In the semantic web an inference engine may not necessarily serve 
to generate proofs but should be able to check proofs. We will work on using F-OWL 
to resolve trust and proof in semantic web. 

In a stand-alone system inconsistencies are dangerous but can be controlled to a 
certain degree. However, controlling the inconsistencies in the Semantic Web is a lot 
more difficult. During the communication, ontology definition origin from other 
agents, who is unknown beforehand, may be asserted. Therefore special mechanisms 
are needed to deal with inconsistent and contradictory information in the Semantic 
Web. There are two steps: detecting the inconsistency and resolving the inconsistency. 

The detection of the inconsistency is based on the declaration of inconsistency in 
the inference engine. The restriction, which imposes the possible values and relation 
that the ontology elements can have, leads to the inconsistency. For example, 
owhequivalentClass: imposes a restriction on the resource which the subject is same 
class as. owl.disjointWith imposes a restriction on the resource which the subject is 
different from. The triples (a owhequivalentClass b) and (a owl. disjointWith b) is not 
directly lead to an inconsistency until applying the detection rule: (A 

owl: equivalen tClass B) & (A owl. disjointWith B) ^ inconsistency . 

When inconsistencies are detected, Namespaces can help tracing the origin of the 
inconsistencies. John posted “all dogs are human” at his web site, while “all dogs are 
animal” appears in daml.org’s ontology library. It is clear that the second is more 
trustable. Every web site are identified and treated unequivocally in the semantic web. 
The inference engine contacts trust system to evaluate the creditability of the name- 
spaces. [Klyne 2002] and [Golbeck 2003] enlist lots of works and brilliant ideas about 
how to maintain the trust system in the semantic web. Once having the trust evaluation 
result, the agent could take three different actions: (a) accept the one suggested by the 
inference engine; (b) reject both as none of them is trustable; (c) ask the human user to 
select 


6 Conclusion 

This paper describes the design and implementation of F-OWL, an inference engine 
for OWL language. F-OWL uses a Frame-based System to reason with OWL ontolo- 
gies. F-OWL supports consistency checking, extracts hidden knowledge via resolution 
and supports further complex reasoning by importing rules. While using it in TAGA 
user case, we find that F-OWL is a full functional inference engine and easy to use 
with the support of multiple query languages and rale languages. 

In the open web environment, it is generally assumed that the data are not complete 
and not all facts are known. We will research how this fact affects the implementation 
of inference engine. In the semantic web an inference engine may not necessarily serve 



to generate proofs but should be able to check proofs. We will work on using F-OWL 
to resolve trust and proof in semantic web in the future. 
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Abstract. The Model Driven Architecture (MDA) approach uses a platform- 
independent model to define system functionality, or requirements, us- 
ing some specification language. The requirements are then translated 
to a platform-specific model for implementation. An agent architecture 
based on the human cognitive model of planning, the Cognitive Agent 
Architecture (Cougaar) is selected for the implementation platform. The 
resulting Cougaar MDA prescribes certain kinds of models to be used, 
how those models may be prepared and the relationships of the different 
kinds of models. Using the existing Cougaar architecture, the level of 
application composition is elevated from individual components to do- 
main level model specifications in order to generate software artifacts. 

The software artifacts generation is based on a metamodel. Each compo- 
nent maps to a UML structured component which is then converted into 
multiple artifacts: Cougaar/Java code, documentation, and test cases. 


1 Introduction 

Agent-based systems provide a foundation for development of large scale applica- 
tions like logistics management, battlefield management, supply- chain manage- 
ment, to mention some. An example of agent-based systems is Cougaar (Cog- 
nitive Agent Architecture). Cougaar provides a software architecture for dis- 
tributed agent-based applications in domains characterized by hierarchical de- 
composition, tracking of complex tasks, generation and maintenance of dynamic 
plans [1,2]. 

The ability' develop very complex applications comes with a price. It takes 
a lot of effort and learning in order to have complete understanding and ability 
to effectively use such agent-based systems. A domain expert must closely col- 
laborate with the developer in order to fully utilize an agent-based system for a 
particular domain. It is very unlikely that a domain expert will have sufficient 
understanding of the underlying agent-based system. 

A Model Driven Architecture (MDA) based approach can be used to au- 
tomatically generate software artifacts and to significantly simplify application 



development [3,4, ?]. The domain expert can specify requirements in a familiar, 
platform-independent format that hides platform-specific details. 

The MD A approach can be used for developing applications using the Cougaar 
agent-based architecture. Cougaar components can be composed into a General 
Cougaar Application Model (GCAM) and develop a General Domain Applica- 
tion Model (GDAM) for specifying and automatically generating software appli- 
cations. This approach is discussed in the paper. 

The remainder of the paper is organized as follows. Section 2 briefly describes 
Cougaar and its capabilities. Section 3 describes the use of the MDA approach for 
Cougaar-based applications. Section 4 discusses the Cougaar-based MDA model 
while Section 5 describes the implementation. Section 6 concludes the paper. 


2 Cougaar Agent-Based System 

Cougaar is a “large-scale workflow engine built on a component-based distrib- 
uted agent architecture” [1]. It is deployed as a society of agents , which commu- 
nicate and work together to solve a problem. A Cougaar society is a set of agents 
running on one or more interconnected computers, all working together to solve 
a common class of problems. The problenqt may be partitioned into subproblems, 
in which case the responsible subset of agents is called a community. A society 
may have one or more communities within. 

The relationship between societies, communities, and agents is not a strict 
one, a society may directly contain both agents and communities. While a society 
has a real-world representation, a set of computers running a Cougaar system, 
a community is only notational in nature. 

A Cougaar agent is a first-class member of a Cougaar Society [1] and it 
contains a Blackboard and one or more Plugins. While the specific purpose of 
any agent is chosen by the system developer; the objective is for a single agent 
to represent a single organizational entity or a part thereof. 

At the most basic level, an agent consists of two parts: a Blackboard and a set 
of Plugins (Figure 1). The former is a container of objects, with a subscription- 
based change notification mechanism; the latter is a set of responders to these 
notifications, with the ability to change the contents of the Blackboard. 

The Blackboard serves as the communications backbone connecting the Plu- 
gins together. More importantly, it serves as the entry point for any incoming 
messages to the agent as a whole, which are then picked up by the Plugins for 
handling. All instance-specific behavior of the agent is implemented within the 
Plugin. A Plugin listens to add, remove, and change events on the Blackboard. 
Evaluating the objects involved in the event, the Plugin may respond by per- 
forming some computation, changes to the Blackboard, or some external work. 

A Cougaar Node conceptually encapsulates a set of agents. Agents can collab- 
orate with other agents in the same Node or with agents in other Nodes. However, 
it is not a direct collaboration. Instead, Cougaar Tasks are allocated to Cougaar 
Organizations, which are representations of agents in the local Blackboard. The 
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Fig. 1. Cougaar Agent Structure [1] 



subscription mechanism allows agents to use Tasks to exchange messages (ob- 
jects). The Cougaar communication infrastructure then ensures that the Task is 
sent to the destination Organizations (i.e. agent’s) Blackboard. 

3 Cougaar Model Driven Architecture (CMDA) 

/' 

The MDA approach advocates converting a Platform Independent Model (PIM) 
into a Platform Specific Model (PSM) through a series of transformations, where 
the PIM is iteratively made more platform specific, ending in the PSM. The 
PIM is used to represent system’s business functionality without including any 
technical aspects. The PIM allows Subject Matter Experts (SMEs) to work at 
the domain layer. However the current technologies may not offer the required 
richness to implement the complex transformation rules. For example, the Uni-' 
fied Modeling Language (UML), the foundation for MDA, lacks in the required 
precision and formalization. 

While the development of PIM and PSM UML models might be easy, a 
blind adaptation of the MDA approach might create problems during the de- 
velopment of mapping rules and transformations. It should be noted that the 
MDA approach advocates for a Computational Independent Model’ (CIM) that 
needs to be transformed into a PIM. Since UML uses different representations for 
each of the models, the translation between models is more like translation be- 
tween natural languages, the mappings are not necessarily exact. Further, while 
the learning curve associated with UML is fairly low, the SMEs nevertheless 
need to learn a new technical language and need to “move” out of their work 
environment. 

The productivity of Cougaar system developers can be improved by using the 
MDA approach. The Cougaar MDA (CMDA) attempts to provide fully auto- 
mated generation of software artifacts and simplifies Cougaar-based application 
development by providing two important abstraction layers. The first layer is the 


Generic Domain Application Model (GDAM) layer. The GDAM represents the 
PIM and encompasses the representation of generic agent and domain specific 
components found in the domain workflow. The second layer, Generic Cougaar 
Application Model (GCAM) reflects the PSM or Cougaar architecture. The user 
specifies the intended Cougaar system using workflow paradigm and the system 
is then refined using GDAM and GCAM models. 

The GDAM layer implement the PIM based on a representation that SMEs 
are comfortable with and result in a proper mapping to the PSM. The goal is to 
make this mapping as automated as possible, while having human-in-the-loop as 
a fallback mechanism to correct any mapping imperfections. The initial versions 
of the tool might force the developers to fine-tune the generated PSM to certain 
extent, but it is hoped that as the tools and algorithms advance, such fine-tuning 
would be less and less necessary. 

The GDAM layer specifies the structure and semantic information that the 
tool uses to ensure that the developer has annotated the GDAM model properly. 
Furthermore, the layer provides all information required by the tool to produce 
a more specific but still platform-independent PIM that includes details of de- 
sired semantics, and guides choices that the; approach/tool will have to make 
(Figure 2). 



Fig. 2. .basic kjm±jA Approach 


In order to develop a tool based on the proposed approach, the following 
assumptions and constraints were formulated after detailed research. 

- Fully automated software artifacts (requirements, design document, code, 
and test cases) generation is a desirable goal. 

— The generated requirements are partial in nature. 


— The validation of generated code and the generation of test cases are of lower 
priority. 

— The development of tools and implementation mechanisms are of lower pri- 
ority than formulating the “recipes” for transformations. 

— The intended users of the system are developers and subject matter experts. 

— The developer should be fully aware of the Cougaar system, its capabilities, 
and constraints. 

— The SMEs should have sufficient knowledge about the domain and a basic 
understanding of the requirements of the intended system. 


3.1 GDAM Layer 

The General Domain Application Model (GDAM) can be conceptually thought 
to be similar to various programming language libraries such as MFC or Swing. 
The libraries abstract and modularize the commonly used functions, thereby 
helping Subject Matter Experts (SMEs) to focus on encoding business logic. 
However, the abstractions achieved by class libraries, which are written in im- 
plementation language, are limited by the capabilities of the language. Further, 
SMEs have to work at the implementation language level. 

The genesis of the GDAM layer can be traced to the need to allow SMEs to 
develop systems at the domain layer using current technologies and simple trans- 
formation rules. In short, GDAM allows SMEs to represent the specifications of 
the system in a platform-independent, domain- specific language that can be 
transformed, without losing information, into specifications of how applications 
will be implemented in the Cougaar platform. Further, GDAM provides a set 
of components and patterns representing the different kinds of generic domain 
elements that can be assembled to specify the application. 

There are two, potentially conflicting implications of the GDAM function- 
ality. First, SMEs should be allowed to capture their domain knowledge and 
application requirements in a manner that is computationally independent. Sec- 
ond, there should be a well defined structure and relationships among require- 
ments to allow for an automatic and mechanic transformation of the require- 
ments/constraints into an internal, platform independent, GDAM representation 
that can be later transformed into a platform specific GCAM representation. To 
reduce this potential conflict, the following decisions were made: 

— The transformation between the computational independent and platform 
independent representations should be a lightweight one. In other words, the 
platform independent transformation should subsume computational inde- 
pendent representation thus requiring only a simple transformation between 
the two. 

— The business logic, i.e. the “semantic” of the application must be embedded 
within the computational independent representation enforce constraints. 
The constraint language must be simple and easily transformed into code 
that can be integrated within the platform. 
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— The configuration and deployment of the application is treated separately 
from the application requirements because that is inherently platform spe- 
cific. While every effort will be made to make it as generic as possible, some 
platform specific information may be necessary. 

— User interactions and user interface represent a separate challenge. Auto- 
matic or semi-automatic user interface generation based on the application 
requirements is not a unique one, i.e. there can be many different user inter- 
face designs. Such designs can be customized based on the SMEs preferences. 
While this effort is outside of the scope of the project, some considerations 
will be provided for possible future research. 

The development of GDAM is an iterative and evolutionary process. In ad- 
dition to the general system wide assumptions, the following assumptions are 
specific to the GDAM layer. 

— The current scope is restricted to the development of some of the indispens- 
able generic domain components that pertain to logistics domain. 

-* The GDAM components development is an evolutionary process and it is 
not expected or possible to develop each and every GDAM component. 

— The developer and the SME will work together, sitting side-by-side if re- 
quired, while developing the GDAM model of the intended system. 

— Developers will collaborate with subject matter experts to develop and up- 
date the system with GDAM components that are required and not available. 

3.2 GCAM Layer 

The GCAM is an abstraction layer above the Cougaar code that represents ap- 
plication’s design. Therefore, the GCAM hides the Cougaar code implementation 
while providing a platform specific “environment.” One of the important issues 
is a separation between the GDAM and the GCAM levels. The GDAM level 
represents requirements and the GCAM level represents design. Each level per- 
forms one mapping. The GDAM level maps from requirements to design which 
then serves as input to the GCAM level. The GCAM level then maps from the 
provided design to code. Therefore, the GCAM level is taking as an input the de- 
sign (GCAM representation) that contains constraints, references to. the GCAM 
components, etc. A repository of components contains detailed descriptions of 
individual GCAM components in a form of “beans.” The GCAM engine is as- 
sembling the code segments of the GCAM components from the repository and 
augments them with code generated from constraints and other design informa- 
tion. The resulting code, combined with the configuration information, provides 
a developed application. 

In addition to the general system-wide assumptions, the following assump- 
tions are specific to the GCAM layer. The GCAM is essentially a design level 
representation of the Cougaar system. 

— As the Cougaar system is revised, the revisions will be reflected in the GCAM 
layer. 


— The developers will write Cougaar code to encode details that cannot be 
represented using GCAM components. 

— The code generated by the system is not intended to be modified by develop- 
ers. The code generator is optimized for runtime performance and simplicity. 

— The GCAM engine does not have optimization capabilities and hence the 
generated cbde might not be as efficient as manually written code. The 
GCAM engine does not support model debugging capabilities. 


4 CMDA Model 

The GDAM requirements necessitated the development of a model representa- 
tion that is both versatile (to represent domain information) and familiar (to 
the SMEs and developers). Based on studies conducted, there is enough confi- 
dence to choose workflow as the medium to represent the generic domain model. 
Workflow is familiar to both SMEs and developers and charts out the working 
mechanism of the intended system. Further, the structure of the workflow (essen- 
tially boxes and arrows) is both generic (to represent most domain information) 
and extensible (to support addition and modifications of GDAM components). 
However, it should be noted that workflow does not capture all the requisite 
information. The information that is not captured include: 

— Deployment and configuration information, 

— Information pertaining to GUI such as screen layout and user interactions, 

— Domain and system level constraints, and 

— Business rules. 

It is necessary to develop and refine the software artifact generation mecha- 
nism based on the information that is captured using workflow. Information that 
cannot be represented using workflow can be captured either by extending the 
workflow model (to record domain and system wide constraints) or by creating 
“threads” that will “run” in parallel to the workflow thread. 

Figure 3 shows the different threads that- exist in the developed tool. The 
threads are designed to capture information pertaining to (1) workflow, (2) GUI 
layout, and (3) deployment. While the structure and semantics of the workflow 
thread are known, the details about the GUI and deployment threads are being 
worked out. The GDAM model representation consists of the Task model for 
GUI, Workflow model for Agent code and deployment model for deployment 
code. The models are transformed into corresponding XML representations by 
the GDAM engine. The GCAM engine reads in the XML, aggregates and corre- 
lates the information to produce the code artifacts. Higher priority is assigned 
to developing and refining the workflow thread. 

4.1 Domain Components presented in Cougaar 

The Cougaar system provides mechanisms to encode domain knowledge directly 
in the code. The domain that Cougaar implement is the planning domain for 
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which the generic-domain components present in the Cougaar were identified. 
As the project moves forwards, more detailed study will be performed. The two 
important domain components found in the Cougaar were the task component 
and the asset component. 

Cougaar defines a task as “A requirement or request from one agent to an- 
other to perform or plan a particular operation.” The tasks are implemented 
in the planning domain library and are used by agents to let another agents 
perform a job or plan the execution of a job. 

Cougaar defines am asset as “Resources assigned to the task.” Any asset 
instance will have two key attributes: (1) a reference to its prototype and (2) a 
reference to the item identification property group. Assets are also implemented 
in the planning domain library. 


4.2 GDAM Representation 

Current Cougaar application development practices were analyzed and used to 
define the GDAM representation. The workflow model is the computational 
model used by Cougaar developers. Some of its functionality has been already 
incorporated in the Cougaar based code. As a consequence, the workflow model 
and its underlying XML Processing Description Language (XPDL) format have 
been selected as for specifying application requirements [6]. The underlying plat- 
form independent GDAM model subsumes the workflow model by using the basic 
components of the workflow model as templates for the part of GDAM compo- 
nents. 

XPDL, defined by Workflow Management Coalition (WfMC), provides a 
framework for implementing business process management and workflow en- 
gines, and for designing, analyzing, and exchanging business processes. Further, 
XPDL is extensible and versatile to handle information used by a variety of 
different tools. 
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While XPDL provides excellent mechanisms to define and record workflow 
processes, certain customization was needed. The customizations include: 

— Type Declarations: The type declarations were used to define the assets 
at the domain level. The SMEs will define and declare the primitive types, 
Property Groups (PGs) and assets using type declarations. The primitive 
types or elements within a PG were recorded as basic type in XPDL. The 
basic types were then grouped into a record type, which will represent the 
PG. The PGs are then grouped into a record to form the asset. The type 
declarations in XPDL provide all the capabilities required to define an asset. 

— Abstractions: The generic notations of XPDL were abstracted to repre- 
sent Cougaar concepts. The agents were represented using participants and 
the behavior of the agents was described using activities. The transitions 
represented the tasks generated by agents. 

— Constraint enforcement: The condition tags present in the XPDL was ex- 
tended to support constraint representations. While XPDL has many useful 
features, it lacks some of the required structure and constraint capabilities. 
As a consequence, the Object Constraint Language (OCL) is selected to 
capture this information [7]. The OCL constraints are includes in the XPDL 
as pre- and post- conditions thus eliminating free-text constraints from the 
original XDPL format. 

— Extended attributes: The extended attributes section was used to describe 
Cougaar specific semantics such as tasks, assets, and allocations. 

It should be noted that care was taken to extend the XPDL without breaking 
the XML structure defined by the WfMC. This was done to allow the XPDL file 
to be loaded in any standard workflow editor that supports XPDL. 

4.3 GDAM Components 

The current structure and semantics of GDAM components have provision to 
specify constraints (pre and post conditions), documentation section, need revi- 
sions to incorporate fragments of design diagrams, mapping criteria, The work- 
flow component describes the participant, activity and transition elements. ■ 
The participant component which is used to represent Agent is defined in 
XPDL under the participants tag. Each participant has two attributes: ID (unique 
Id used to reference the participant within the workflow model) and Name (user 
specified name, which need not be unique). The participant component also con- 
tains the tag ParticipantType which is used by XPDL to identify the type of 
participant. 

The activity component is used to describe the behavior. The activity com- 
ponent, described inside Activities tag, consist of two attributes: ID (unique Id 
used to reference the activity within the workflow model) and Name (user spec- 
ified name, which need not be unique). The activity component provides details 
about a particular behavior, which are mapped into Plugins during transfor- 
mations. The Activity component has performer tag to identify which Agents 
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behavior is being defined, transition restrictions tag to reference the constraints 
of a particular Task, and an extended attribute namely asset to identify the 
asset used by the activity. An activity component can occur more than once 
in the workflow model. The first occurrence of activity component is mapped 
into a new Plugin and subsequent occurrences result in appending the Plugins 
behavior. The Plugins behavior is appended by appending the subscription and 
action subsets of the Plugin. 

The asset component is used to describe the resources attached to tasks. The 
asset component is described using XPDLs type declarations. The primitive 
types or elements within a PG were recorded as basic type in XPDL. The basic 
types were then grouped into a record type, which will represent the PG. The 
PGs are then grouped into a record to form the asset. The TypeDeclaration tag, 
consist of two attributes: ID (unique Id used to reference the type within the 
workflow model) and Name (user specified name, which need not be unique). 
The TypeDeclaration also lists whether the type is basic type or record type. If 
the type is a record, the members of the record are listed. 

5 CMDA Implementation 

The graphical user interface (GUI) for the developed CMDA tool has been im- 
plemented as an editor using the Eclipse IDE [8,9]. The editor allows editing 
and validation of XPDL data in both text and graphical formats. The XPDL is 
loaded into the editor, with the workflow displayed. The editor connects to the 
repository of components. The user drags components from a palette (represent- 
ing what’s available in the repository) assigning the activity to a new instance 
of the component, which can have all its properties set in a GUI. The editor 
shows any validation errors detected by the validating compiler. The instanti- 
ation data (component name and property values) are stored in the XPDL as 
extended attributes. The editor also shows a set of available resources, which 
can be assigned to each activity. As these resources are assigned, they are stored 
in the XPDL as extended attributes.. Completed requirements include a fully 
defined components with parameters, roles, and deployment data. 

Since the entire system is a component itself, with deployment information 
added, the editor is used to edit any inner component as well. The components 
are defined in a UML-like XMI^ based language [10] where an XML schema 
is defined for specifying components that can be automatically converted to an 
EMF [11] model. Eclipse’s EMF is a modeling system similar to the Meta-Object 
Facility (MOF) [11]. Those similarities enable the use EMF and the related 
tools for easy conversion to a UML representation. The UML representation, in 
addition to documentation generation, provides a better understanding of the 
application under development. 

The characteristics of the metamodel are determined from the parameteri- 
zation of Cougaar components, related constraints and properties. Components 
must define properties that can be queried and derived. Interconnected compo- 
nents work together as agents and societies of agents. Composition of components 
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is specified using graphs describing interconnected and configured components. 
The graphs can be saved and reused. . 

Generation of Cougaar/Java code, documentation, requirements, and test 
cases, depends on components that must provide information for artifact gener- 
ation Deployment of components requires assignment of hosts and other compu- 
tational, storage, or other type of resources while maintaining Java compatibility. 

Each component maps to a UML structured component with template para- 
meters (Figure 4). The compiler validates components and generates artifacts. 
The validation insures that the component is valid and is' suitable for artifact 
generation. Artifact generation creates Java code, documentation, test cases, and 
requirements data. 



Fig. 4. Component 


Components have named parameters that are defined like a very small subset 
of an XML schema [12]. Parameters specify a name attribute, which is matched 
when given a value. Parameters may also define a parent parameter, thus allow- 
ing sets of parameters and a cardinality. This allows variable numbers of sets of 
parameters, giving a reasonable configuration language for components. 

The metamodel directly provides constraint data through constraints given 
in the component definition, and implicitly through the typed connections and 
defined restrictions on the various metamodel elements. The compiler verifies 
constraints to assure that a valid system can be generated. 

The compiler considers the entire system as one top level component. The 
components are grouped into a tree of instantiations (component names coupled 
with values for all of their parameters) that is traversed by the compiler. The 
compiler calls the relevant profile mapping at each node to generate correspond- 
ing artifacts. The profile mappings use either an XML tree for the component 
definition or a set of EMF objects representing them in memory. The former is 
the serialized form of the latter. Extensible Stylesheet Language (XSL) Trans- 



formations (XSLT) [13] or Eclipse’s Java Emitter Template (JET) [14, 15] are 
then used to generate the artifacts. 

Components can specify roles , named interconnections with other compo- 
nents, that specify data types sent and received over them. Roles are special 
types of parameters which are fully initialized only with references to other 
component instances. They also cannot have inner roles or any such hierarchy. 

Deployment data is considered a special type of non- hierarchical parameter. 
Deployment data are not fixed values. They are expression usable for deriving 
the value when the system is deployed. 

Components can specify inner member components to define the inner struc- 
ture. These member components are initialized and connected together. Their 
parameters, connections, and deployment information have static values or OCL 
expressions [7] based on the component’s parameter data. OCL expressions pro- 
vide additional information to object-oriented models, including constraints, 
queries, referencing values, stating conditions and business rules. Each value 
is expressed using OCL constants or using OCL expressions that allow their 
derivation. The component can define its properties as the values of properties 
in its member components, possibly with some modification and renaming. 

While the definitions immediately provide useful descriptions of the system, 
they do not directly provide code, test cases, etc. The compiler, in some cases, 
needs “help” from the component definitions to create code, test cases, and re- 
lated artifacts. Each component specifies the name of a Profile Mapping that 
links the component to a set of definitions for how the artifacts axe gener- 
ated. Each profile mapping handles different categories of components, such as 
Cougaar Plugins, Agents, or Societies. 


6 Conclusions 


Cougaar is complex requiring considerable mappings and transforms. MDA pro- 
vides a systematic way of capturing requirements and mapping them from PIM 
to PSM and ultimately to the code level. The developed CMDA framework is an 
MDA based approach for the Cougaar agent-based architecture. It enables au- 
tomatic transformation of the application requirements, expressed in the XPDL 
format, into a platform-independent, GDAM representation. The artifacts are 
generated from models assembled using components that contain information re- 
lated to requirement, design, code, test and documentation details for that com- 
ponent, along with transformation information. Platform-specific GCAM com- 
ponents are derived from the metamodel and then converted into Cougaar /Java 
code. The CMDA combines assembly approach with transformations to generate 
the artifacts. While the CMDA-based approach uses the Cougaar architecture, 
it is applicable to other agent-based architectures. 
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Abstract Autonomic Computing (AC), a self-managing systems initiative 
based on the biological metaphor of the autonomic nervous system, is 
increasingly gaining momentum as the way forward in designing reliable 
systems. Agent technologies have been identified as a key enabler for 
engineering autonomicity in systems, both in terms of retrofitting autonomicity 
into legacy systems and designing new systems. The AC initiative provides an 
opportunity to consider other biological systems and principles in seeking new 
design strategies. This paper reports on one such investigation; utilizing the 
apoptosis metaphor of biological systems to provide a dynamic health indicator 
signal between autonomic agents. 


1. Introduction 

One of the great things about being involved in the early days of development of a 
new paradigm is having the opportunity to look again at how things are done, and 
contemplate approaches not normally considered before the paradigm beds down into 
its evolutionary path. 

Autonomic Computing is based on the biological metaphor of the Autonomic 
Nervous System (ANS) [1], taking the ANS as inspiration to achieve self-managing 
systems without ‘conscious effort’ from the user. IBM’s initial set of self-properties 
(self-CHOF, configuration, healing, optimisation and protection) have been expanded 
to include many self-* properties leading to the adoption of the term self ware . 

Biological systems inspire systems design in many other ways - reflex reaction 
and health signs [2, 3], nature-inspired systems (NIS) [4] - hive and swarm 
behaviour, fire flies, etc., for example. 

At this stage in the emerging field of Autonomic Computing we are seeking 
inspiration for new approaches from (obviously, pre-existing) biological mechanisms. 
An obscure mechanism which is discussed in this paper is Apoptosis - the approach 
for cell self-destruction, which at first sight may seem a metaphor too far. 
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2. Biological Apoptosis 

The biological analogy of autonomic systems has been well discussed in the literature. 
While reading this the reader is not consciously concerned with his 1 breathing rate or 
how fast his heart is beating. Achieving the development of a computer system that 
can self-manage without the conscious effort of the user is the vision and ultimate 
goal [5], Another typical biological example is that the touching of a sharp knife 
results in a reflex reaction to reconfigure the area in danger to a state that is out of 
danger (self-protection, self-configuration, and, if damage is caused, self-healing) [6]. 

If one cuts oneself and starts bleeding, good training results in washing the finger, 
applying a bandage and carrying on with one’s tasks without any further conscious 
thought.' Yet, often, the cut will have caused skin cells to be displaced down into 
muscle tissue [7], If they survive and divide, they have the potential to grow into a 
tumour. The body’s solution to dealing with this situation is cell self-destruction 
(with mounting evidence that cancer is the result of cells not dying fast enough, rather 
than multiplying. out of control, as previously thought). 

It is believed that a cell knows when to commit suicide because cells are 
programmed to do so - self-destruct (sD) is an intrinsic property. This sD is delayed 
due to the continuous receipt of biochemical retrieves. This process is referred to as 
apoptosis [8], meaning ‘drop out’, used by the Greeks to refer to the Autumn 
dropping of leaves from trees; i.e., loss of cells that ought to die in the midst of the 
living structure. The process has also been nicknamed ‘death by default’ [9], where 
cells are prevented from putting an end to themselves due to' constant receipt of 
biochemical ‘stay alive’ signals (Figure 1). 
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Fig. 1 . Turning off the self-destruct sequence - cell receives ‘stay alive’ signal. 


1 Throughout this paper, for “his”, read “his/her”. 
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Further investigations into the apoptosis process [10] have discovered more details 
about the self-destruct programme. Whenever a cell divides, it simultaneously 
receives orders to loll itself. Without a reprieve signal, the cell does indeed self- 
destruct. It is believed that the reason for this is self-protection, as the most 
dangerous time for the body is when a cell divides, since if just one of the billions of 
cells locks into division the result is a tumour, while simultaneously a cell must divide 
to build and maintain a body. 

The suicide and reprieve controls have been compared to the dual-key on a nuclear 
missile [7]. The key (chemical signal) turns on cell growth but at the same time 
switches on a sequence that leads to self-destruction. The second key overrides the 
self-destruct [7]. 


3. Autonomic Computing and Agents * 

Autonomic Computing is dependent on many disciplines for its success; not least of 
these is research in agent technologies. At this stage, there are no assumptions that 
agents have to be used in an autonomic architecture, but as in complex systems there 
are arguments for designing the system with agents (11], as well as providing inbuilt 
redundancy and greater robustness (12], through to retrofitting legacy systems with 
autonomic capabilities that may benefit from an agent approach (13]. 



Autonomic Communications channel 


Fig. 2. Autonomic Element (agent or other) consists of a managed component and an 
autonomic manager. Control loops with sensors (self-monitor) and effectors (self-adjuster) 
together with system knowledge and planning/adapting policies allow the autonomic element to 
be self-aware and to self-manage. A similar scheme facilitates environment awareness 
(allowing self-managing if necessary, but without the immediate control to change the 
environment — this is effected through communication with other autonomic managers that 
have the relevant influence, through reflex or event messages). 
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Emerging research suggests that the autonomic manager may be an agent itself, for 
instance, an agent termed a self-managing cell (SMC) [14], containing functionality 
for measurement and event correlation and support for policy-based control. 

Essentially, the aim of autonomic computing is to create robust dependable self- 
managing systems [15]. To facilitate this aim, fault-tolerant mechanisms such as a 
heart-beat monitor (‘I am alive 5 signals) and pulse monitor (urgency/reflex signals) 
may be included within the autonomic element (Figure 2) [2, 16]. The notion behind 
the pulse monitor (PBM) is to provide ah early warning of a condition so that 
preparations can be made to handle the processing load of diagnosis and planning a 
response, including diversion of load. Together with other forms of communications 
it creates dynamics of autonomic responses [17] - the introduction of multiple loops 
of control, some slow and precise, others fast and possibly imprecise, fitting with the 
biological metaphor of reflex and healing [2]. 

The major motivating factor for formal approaches to agent-based systems is to 
prevent race conditions and undesirable emergent behaviour. In this situation, Self- 
Destruction of the agent may be viewed as a last resort situation to prevent further 
damage; in other situations, such as security of the agent, Self-Destruction may be 
used as an intrinsic part of the process. 

Agent destruction has been proposed for mobile agents to facilitate security 
measures [18]. Greenberg et al. highlighted the situation simply by recalling the 
situation where the server omega.univ.edu was decommissioned, its work 
moving to other machines. When a few years later a new computer was assigned the 
old name, to the surprise of everyone, email arrived, much of it 3 years old [19]. The 
mail had survived 'pending 5 on Internet relays waiting for omega.univ.edu to 
come back up. 

Greenberg encourages consideration of the same situation for mobile agents; these 
would not be rogue mobile agents - they would be carrying proper authenticated 
credentials. This work would be done totally out-of-context due to neither abnormal 
procedure nor system failure. In this circumstance the mobile agent could cause 
substantial damage, e.g., deliver an archaic upgrade to part of the network operating 
system resulting in bringing down the entire network. 

Misuse involving mobile agents comes in the form of: 

• misuse of hosts by agents, 

• misuse of agents by hosts, and 

• misuse of agents by other agents. 

From an agent perspective, the first is through accidental or unintentional situations 
caused by that agent (race conditions and unexpected emergent behaviour), the later 
two through deliberate or accidental situations caused by external bodies acting upon 
the agent. The range of these situations and attacks have been categorised as: 
damage, denial-of-service, breach- of-privacy, harassment, social engineering, event- 
triggered attacks, and compound attacks. 

In the situation where portions of an agent’s binary image (e.g., monetary 
certificates, keys, information, etc.) are vulnerable to being copied when visiting a 
host, this can be prevented by encryption. Yet there has to be decryption in order to 
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execute, which provides a window of vulnerability [19]. This situation has similar 
overtones to our previous discussion on biological apoptosis, where the body is at its 
most vulnerable during cell division. 


4, Autonomicity in NASA Missions 

New paradigms in spacecraft design are leading to radical changes in the way NASA 
designs spacecraft operations [20]. Increasing constraints on resources, and greater 
focus on the cost of operations, has led NASA to utilize adaptive operations and move 
towards almost total onboard autonomy in certain classes of mission operations [21, 
22 ]. 

NASA missions, particularly those to deep space, where manned craft will not at 
present be utilized, are considering the use of almost wholly autonomous decision- 
making to overcome the unacceptable time lag between a craft encountering new 
situations and the round-trip delay (of upwards of 40 (earth) minutes) in obtaining 
responses and guidance from mission control. 

More and more NASA missions will, and must, incorporate autonomicity as well 
as autonomy [23, 27]. 


4.1 Previous Missions 

Two of the first notable missions to use autonomy are DS1 (Deep Space 1) and the 
Mars Pathfinder [24]. 

The Beacon Monitor concept, first used in the DS1 mission work [25] automates 
the routine task of health monitoring and transfers the process of monitoring from 
ground to the spacecraft [16]. With beacon monitoring, the spacecraft sends a signal 
to the ground that indicates how urgent it is to track the spacecraft for telemetry. 

This concept involved a paradigm shift for NASA from its traditional routine 
telemetry downlink and ground analysis, to onboard health determination and 
autonomous data summarization [25]. 

In terms of high-level concepts, the beacon monitor is analogous to the heartbeat 
monitor, but with the addition of a tone to indicate the degree of urgency involved: 
nominal, interesting , important, urgent and no tone [26]. 

Some long-term drawbacks of this approach have been discovered. Since one of 
the primary goals of beacon monitoring was to reduce the amount of data sent to the 
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ability to gain an intuitive feel for the performance and characteristics of the craft and 
its components, as well as losing the ability to run the data through simulations [20]. 

As such, to fully benefit from beacon monitoring, the fast loop of real-time health 
assessment must be supplemented by a slow loop to study the long-term behaviour of 
the spacecraft. This engineering data summarization is where the spacecraft creates a 
second set of abstractions regarding the sensor telemetry, which is then sent back to 
ground to provide the missing context for operators. 
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This dual approach has conceptually much in common with the reflex and healing 
approach [2, 1 6] . 


4.2 A Future Mission 

The' Autonomic Computing initiative has been identified by NASA as having 
potential to contribute to their goals of autonomy and cost reduction in future space 
exploration missions [22, 23, 27]. 

ANTS, Autonomous Nano-Technology Swarm, is a mission that will launch 
sometime between 2020 and 2030 (“any day now” in terms of NASA missions). The 
mission is viewed as a prototype for how many future unmanned missions will be 
developed and how future space exploration will exploit autonomous and autonomic 
behaviour. 

The mission will involve the launch of 1000 pico-class spacecraft swarm from a 
stationary factory ship, on which the spacecraft will be assembled. The spacecraft 
will explore the asteroid belt from close-up, something that cannot be done with 
conventionally- sized spacecraft. . 

As much as 60% to 70% of the spacecraft will be lost on first launch as they enter 
the asteroid belt. The surviving craft will work as a swarm, forming smaller 
groupings of worker craft (each containing a unique instrument for data gathering), a 
coordinating ruler , that will use the data it receives from workers to determine which 
asteroids are of interest and to issue instructions to the workers and act as a 
coordinator, and messenger craft which will coordinate communications between the 
swarm and between the swarm and ground control. Communications with earth will 
be limited to the download of science data and status information, and requests for 
additional craft to be launched from earth as necessary. 

A current project (FAST) is studying advanced technologies for the verification of 
this incredibly complex mission; the reader is directed to [22, 27] for a more detailed 
exposition of the ANTS mission and the FAST (Formal Approaches to Swarm 
Technologies) project. 


5. The Role of Apoptosis 

The discussions so far have established the concepts of: 

• Heart-Beat Monitor (HBM) I am alive : a fault-tolerant mechanism which may 
be used to safeguard the autonomic manager to ensure that it is still functioning 
by periodically sending T am alive 5 signals. 

• Pulse Monitor (PBM) I am healthy : extends the HBM to incorporate 
reflex/urgency/health indicators from the autonomic manager representing its 
view of the current self-management state. The analogy is with measuring the 
pulse rate instead of merely detecting its existence. 
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• Apoptosis Stay alive: a proposed additional construct used to safeguard the 
system and agent; a signal indicates that the agent is still operating within the 
correct context and behaviour, and should not self-destruct. 

The title of this paper (purposely) raises the question of whether there is a role for the 
apoptosis metaphor within the development of autonomic agents. Additionally, in 
the introduction, we prompted the consideration of whether perhaps it is a metaphor 
too far. 

Section 3 clearly highlights the general problem of agent security, whether from 
the agent’s or host’s perspective. In terms of generic contribution to autonomic 
agents development, with many security issues the lack of an agreed standard 
approach to agent-based systems prohibits further practical development for generic 
autonomic systems. As such, the proposal can only be ‘put out there’ as a concept. 

Of course, within NASA missions, such as ANTS, we are not considering the 
generic situation. Mission control and operations is a trusted private environment. 
This eliminates many of the wide range of agent security issues discussed earlier, just 
leaving the particular concerns; is the agent operating in the correct context and 
showing emergent behaviour within acceptable parameters, where upon apoptosis can 
make a contribution. 

For instance, in ANTS, suppose one of the worker agents was indicating incorrect 
operation, or when co-existing with other workers was the cause of undesirable 
emergent behaviour, and was failing to self-heal correctly. That emergent behaviour 
(depending on what it was) may put the scientific mission in danger. Ultimately the 
stay alive signal from the ruler agent would be withdrawn. 

If a worker , or its instrument, were damaged, either by collision with another 
worker, or (more likely) with an asteroid, or during a solar storm, a ruler could 
withdraw the stay alive signal and request a replacement worker (from Earth, if 
necessary). If a ruler or messenger were similarly damaged, its stay alive signal 
would also be withdrawn, and a worker would be promoted to play its role. 

All of the spacecraft are powered by batteries that are recharged by the sun using 
solar sails [22, 27]. Although battery technology has greatly advanced, there is still a 
“memory loss” situation, whereby batteries that are continuously recharged eventually 
lose some of their power and cannot be recharged to full power. After several 
months of continual operation, each of the ANTS will no longer be able to recharge 
sufficiently, at which point their ‘stay alive’ signals will be withdrawn, and new craft 
will need to be assembled or launched from Earth. 


6. Conclusions 

Autonomic Computing [1] has been gaining ground as a significant new paradigm to 
facilitate the creation of self-managing systems to deal with the ever increasing 
complexity and costs inherent in today’s (and tomorrow’s) systems. 

In terms of the Autonomic Computing initiative, agent technologies have the 
potential to become an intrinsic approach within the initiative [28], not only as an 
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enabler (e.g. ABLE agent toolkit [29]), but also in terms of creating autonomic agent 
environments. 

Formal approaches to agent-based systems [30, 31] have a primary focus of 
identifying race conditions, highlighting undesirable emergent behaviour, and 
verifying the correctness of systems that are far too complex to ever test correctly. 
However, the practicality of mobile agents is predicated on the existence of realistic 
security techni ques [19]. 

We have described the Heart-Beat Monitor (HBM) and Pulse Monitor (PBM) and 
proposed a logical addition which has an analogy from biological systems, Apoptosis 
and Self-Destruct , which we believe will be valuable in future autonomic systems. 
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Abstract Emergent agents, those agents whose local interactions can cause un- 
expected global results, require a method of modeling that is both dynamic and 
structured. Petri Nets, a modeling tool developed for dynamic discrete event 
system of mainly functional agents, provide this, and have the benefit of being 
an established tool. We present here the details of the modeling method here 
and discuss how to implement its use for modeling agent-based systems. 


1 Introduction 

Petri Nets have been used extensively in the modeling of functional agents, those 
agents who have defined purposes and whose actions should result in a known out- 
come. However, emergent agents, those agents who have a defined structure but 
whose interaction causes outcomes that are unpredictable, have not yet found a model- 
ing style that suits them. A problem with formally modeling emergent agents that any 
formal modeling style usually expects to show the results of a problem and the results 
of problems studied using emergent agents are not apparent from the initial construc- 
tion. However, the study of emergent agents still requires a method to analyze the 
agents themselves, and have sensible conversation about the differences and similari- 
ties between types of emergent agents. We attempt to correct this problem by apply- 
ing Petri Nets to the characterization of emergent agents. In doing so, the emergent 
properties of these agents can be highlighted, and conversation about the nature and 
compatibility of the differing methods of agent creation can begin. 


1.1 Petri Nets 

Petri Nets are a graphical modeling tool used mainly to analyze manufactur- 
ing processes. The main strength of using Petri Nets lies in the fact that they can han- 
dle concurrency of events. For complex modeling the ability to allow several events to 
occur simultaneously and still analyze their effects on each other is a necessity. The 
classic Petri Net consists of four objects: places , transitions, directed arcs and tokens . 
A place is a state of existence for a model. Consider a traffic light which has three 
states, each of which indicates a different situation; red says stop, yellow indicates 
caution, and green allows forward motion. Each of these three states would be con- 
sidered a place in a Petri Net. Places are usually denoted by a circle. Transitions are 



the means by which the different places are reached. This would be the light changing 
from red to yellow, yellow to green, etc. You must go through a transition in order to 
reach a place. Transitions take the form of a square, or a straight line. The directed 
arc links the places to the transition. If one must change from red to yellow, there 
would be an arc linking the place “red” to the transition “changing from red to yel- 
low,” and another linking this transition to the place “yellow.” The token is the means 
by which the Petri Net is made active. It indicates at which place in the Petri Net the 
current process is, and allows for restrictions on the activity of the processes. If there 
were two traffic lights at an intersection the tokens would indicate which is green, 
which is red, and ensure that only one was green at any given time. Below is the traf- 
fic light example shown as a Petri Net (1). 



Fig. 1. This represents two traffic lights. The tokens in Green 1 and Red 2 show that the left 
traffic light is green currently, and the right one, red. Notice that both tokens have to be in spot 
X for the light to change. This is true of many actual traffic systems, where all lights at an 
intersection are briefly red before one turns green 

This process of putting the Petri Net into action is referred to as firing . Each token 
allows for a single firing, which causes a token to move from place, through a transi- 
tion, into another place. In order for a particular transition to be enabled , all of the 
places who have a directed arc leading to that transition must have a token. In the 
case above, the X place creates the situation where both lights must be red for one to 
turn green. 





The model above is an example of a Petri Net that describes a well-defined system, 
with predictable results, and no emergent properties. Below we describe how this tool 
can be applied in a situation where emergence generates the interesting result. 


2 Emergent Agent Modeling 

We create a formal model of a classic agent-based model, the Schelling model of 
spatial segregation. In this model, there are two types of agents. Each agent has a 
threshold level for the number of similar agents they wish to have in their ‘neighbor- 
hood’, although no agent has a particular preference for segregation. When chosen by 
random, each agent takes an accounting of the percentage of each agent type in their 
neighborhood, and if the percentage of dissimilar agents is too high, they will move to 
another location. Although simple, the model’s results stem from the emergent prop- 
erties of the heterogeneous agents. Although this is not a detailed model, there are 
still many choices a researcher must make when programming the simulation, such as 
the type of neighborhood the agents live in, how the thresholds are determined, the 
method of location switching, etc. Each model has characteristics in common, how- 
ever, and it is these characteristics that should be included in formal specification of 
the model. Below is a Petri Net model of the basic characteristics that should be in-, 
eluded in every Schelling simulation, regardless of the individual choices made by the 
researchers. 



Fig. 2. A Petri Net of the Schelling model of spatial segregation [2]. Here, an agent has a 
certain threshold of sinudai agents they warn in their ‘‘neighborhood”. If that percentage falls 
beneath their threshold, they will choose to move. The Petri Net shows the basic model, with- 
out requiring knowledge of the specific parameters 


Given this model of the process that the researcher is trying to analyze, and the specif- 
ics of the choices that she made in the design process, the original results should be 
replicable. In addition there is no need for every researcher to utilize the same pro- 
gramming language or software package in order to understand the workings of the 
model. Petri Nets are dynamic which makes them ideal for analyzing the structure of 







agent-based models, whose results usually rely on the dynamic interactions of their 
component parts. 


3 Conclusion 

These Petri Net models do not replace the agent-based model itself. The 
emergent nature of many agent-based results still requires a full computational simula- 
tion to be created. However, they do provide a method by which two modelers can 
discuss a single problem without being distracted by the particulars of their individual 
models. Since Petri Nets are mathematically based, issues of the efficiency of the 
model can also be analyzed. Finally, there is already an established body of work in 
the field of Petri Nets, which prevents agent-based modelers from having to invent 
new systems of analysis. Just as economics and other fields adapted calculus for their 
own uses, agent-based modelers in all disciplines can use this technique. 


References 

1 . http://tmitwww.tm.tue.nl/staffwvdaalst/Petri nets/pn tutorial.html July 2004 

2. Schelling, TC. Micromotives and Macrobehavior. W. W. Norton & Company, 1978 



Massive multi-agent systems control 


.Jean Charles CAMPAGNE 1 , Alain CARDON 1,2 , Etienne COLLOMB 3 , and 

ToyoaM NISHIDA 3 

1 LIP6 - UPMC - CNRS - 8, rue du Capitaine Scott - 75015 Paris - France 
{jean-charles.campagne, alain. caxdon}Qlip6 . fr 

2 IRD, Centre Ile-de-France - 32, rue Varagnat - 93143 Bondy Cedex - France 

3 The University of Tokyo - 7-3-1 Hongo, Bunkyo-ku, Tokyo 113-8656, Japan 

{etienne ,nishida}®kc . t . u-tokyo .ac.jp 


Abstract. In order to build massive multi-agent systems, considered as 
complex and dynamic systems, one needs a method to analyze and con- 
trol the system. We suggest an approach using morphology to represent 
and control the state of large organizations composed of a great num- 
ber of light software agents. Morphology is understood as representing 
the state of the multi-agent system as shapes in an abstract geometrical 
space, this notion is close to the notion of phase space in physics. 


1 Introduction 


With the advent of new computer technologies new large-scale systems are now 
possible. However, methods for actually building such complex system are less 
frequently proposed. Existing common approaches include : ” manual timing” , 
emergence-based theory approaches, genetic approaches. 

Manual tuning is only feasible for a couple of agents. It is impracticable for 
bigger organizations. 

Emergence-based theories seek the understanding of the requirements at the 
microscopic level (the agent) in the hope that the macroscopic (the system) 
level will eventually behave appropriately. Many of these theories suggest that 
the agents composing the system have to be cooperative : resolving local conflict 
is sufficient to yield a proper global behavior (eg [3]). This hypothesis seems too 
restrictive[2] ; natural self-adaptive systems composed of many entities are not 
all locaHy-cooperative. 

Agent genetic approaches, which include non- necessarily cooperative agents 
(eg [5]), seem to be promising. However, they lack of the ability of analyzing and 
understanding the system. It is difficult to understand how the system works by 
only relying on the fitness function. 

In order to build such a system one has to be able to analyze, maintain and 
control the behavior of the system. Deep understanding of the system workings is 
needed. And for such a system to be auto-adaptive, it needs to observe, analyze 
and control itself [4]. 



Our proposal For a system to be self-regulated, it has to have the ability to 
consider its internal state. We propose a way of describing the state of the agent 
organization in a problem- independent manner, by projecting the state of the 
agent organizations in an abstract geometrical space from various measurements 
made at the agent level (this is similar to the approach in physics as with phase- 
space), and letting the system access this representation in order to control itself. 
The underlying hypothesis is that the shapes representing the system’s state are 
correlated to the system’s behavior. 

We describe the model, highlighting the important points > and then present 
an example of application of such an architecture applied to agent population 
control. We also discuss the advantages and current limitations based on the 
experiments with the implemented model. 


2 Description of the approach 

2.1 Hypothesis 

We seek to correlate the micro-level behavior (agent) with the macro-level be- 
havior (organization) using a generic approach (morphology). The hypothesis 
is that the shapes should be correlated to the system’s behavior, and that it 
is possible to attract the system toward another state using the morphological 
description if the system fails to behave appropriately. 


2.2 General Description 

The system is composed of three main organizations : the aspectual organization 
that represents a phenomena ; the morphological organization which describes 
the state of the aspectual organization in a geometrical way ; and the analysis 
organization controlling the aspectual organization relying on the description 
given by the morphological organization and following the guidelines provided 
by the system designer. A more detailed description can be found in [1]. 


2.3 Aspectual organization 

The aspectual organization, composed of many agents, represents a phenomena 
we want to study. This is the organization we seek to analyze and control. The 
term “aspectual” comes from the original agentifi cation method proposed in [1]. 

In order to evaluate the system’s state, the aspectual agents compute a value, 
called the ’’aspectual vector”, as they run. This vector is a collection of values 
describing the agent’s organizational state and its activity. The exact nature of 
these measures depend on the structure of the agent. 



2.4 Morphological organization 

The whole collection of aspectual vectors make up the aspectual landscape of 
the aspectual organization which is then analyzed by the morphological agents. 

Morphological agents attempt to describe what is happening in the aspectual 
organization in a geometrical way. The description does not take into account the 
ontology previously established : there is no semantics in the morphology space. 
Morphology space is only concerned with the activity and the organizational 
state of the agents. It points out structure, shapes, recurrent features, similari- 
ties, oppositions, dominant or recessive features. . . If we consider the aspectual 
measure as a mapping from a subset of the agent organizational state space to a 
numerical space (possibly multi-dimensional) ; the reciprocal is a function that 
modifies the agent behavior according to some target value so that the resulting 
aspectual vector of the agent would conform to that target value. 


2.5 Analysis organization 

By using a proper way of computing the morphology, the shapes revealed by the 
morphology are correlated to the system’s behavior. We intend to exploit this 
correlation. 

The analysis agents use the morphological description to examine the as- 
pectual organization and to orientate the system accordingly to some generic 
guidelines instructed by the designer (for example : “global variable X of the 
system should be around value Y” . . . ) . This is achieved by classifying and learn- 
ing the morphology : as the system runs, typical shapes in the morphological 
spaces are revealed, these shapes are correlated to the system’s behavior and cat- 
egorized appropriately. Analysis agents can, following the designer’s guidelines, 
influence the aspectual organization, either by direct injunctions on it, or by se- 
lecting appropriate shapes (learned from the system’s past activity) and telling 
the morphological agents that this particular shape would be more appropriate 
than the current shape. 

3 Example 

We have developed an example using this approach in the context of agent 
population size control. The goal of this example is to illustrate how the global 
behavior of the system is correlated with its morphological description and how 
it is possible to exploit this correlation to control the system. 


3.1 Aspectual agents 

The aspectual organization is subjected to population control. Aspectual agents 
reside in a common environment where they “see” each other and from which 
they can extract some “energy” in order to survive. 

Agents have some limited social skills : an agent can ask another agent to 
give it some energy. The asked agent can either cooperate or refuse. In the event 



of refusal, the asker “fights” the non cooperative agent. A fight results in the 
loss of energy from both antagonists, however the initiator of the fight looses 
less energy than the other one (simulating the benefit of initiating the attack). 

If the energy level of an agent drops below zero, the agent “dies” and is 
removed from the organization. If an agent collects enough energy it can clone, 
yielding another agent. Removal and cloning of agents enables the organization 
to change in size. 

The behavior of each aspectual agent is parameterized a variable, called its 
“eagerness”, it influences the agent’s behavior in its choice on whether to attack 
or not other agents. This parameter can be updated by the agent itself when it 
receives a recommendation from the morphological agents. 

3.2 The morphology 

To analyze the system, we chose to use only one characteristic of the agent’s 
organizational state : its “supremacy” . The idea of this measure is to relate the 
position of the agent within the organization : whether the agent is or not in 
a comfortable position. This is correlated to its energy level : the more energy 
the agent has, the more likely it is to survive. Hence, we chose to compute the 
agent’s supremacy as equal to its energy level. 

The shapes used to describe the organization’s state are normalized and 
mean-centered histograms representing the agents’ state distribution according 
to their supremacy. Histograms have the advantage of being easily comparable. 
It is possible to formulate a “reciprocal” of this mapping. An aspectual agent 
that is asked to change its vector value will try to do so by modified some of its 
variables (its eagerness) that alter its behavior accordingly. 


3.3 The analysis and control 

One analysis agent is used to control the system. This agent learns and classifies 
the histograms computed by the morphological agent. It can also directly know 
the actual number of agent in the aspectual organization, so it is able to deter- 
mine, accordingly to rules defined by the system designer if the system is in a 
“good” or “bad” state and classify the corresponding shape properly (figure 1). 

In this example, when the system behaves correctly there is no feedback. 
But when the population size is out of bounds, the analysis agent asks the 
morphological agent compute the appropriate feedback corresponding to the 
difference between the “good” and “bad” histograms. 


3.4 Results and discussion 

The limitation of space does not permit us to discuss in details the results of all 
the simulations but we will mention the essential. 

Figure 2 sums up the results of two tests : one without control and the 
other with control. The instantaneous error rate is a pseudo-distance of the 




Figure 1: The left figure shows the system when it is considered as fine . The right 
figure shows when the system is needs adjustment. 



Figure 2: Comparative plot with and without control Cumulative curves show 
that this system allows control in most cases (85%). 


population curve to the closest threshold (if the population curve is in-between 
both thresholds, the instantaneous error rate is zero). The error rate is the sum 
of all the instantaneous error rate in one 1000-cycles run. The average error rate 
for an analysis agent (if any) is computed over 10 such 1000 cycles run. 

The reference test was done without control, it consisted of 500 tests. The 
other series of tests was done with control, over 200 tests (the difference of the 
number of tests is due to available time, the ones with control took longer to 
compute). In both cases the target population size was 50 agents with a margin 
of 0.2' (lower threshold and upper threshold are 40 and 60 respectively). 

Figure 3 displays a couple of examples of the system’s behavior, with and 
without control- These curves give a more palpable, qualitative, appreciation of 
control performance. 

In most cases (85%) the control improves the system’s behavior. However, the 
histograms reveal that in 15% of the cases it does worse. One possible explanation 
is that, in some cases, the initial configuration of the aspectual organization (ie 
when the analysis agent has learned nothing yet) does not permit the analysis 
agent to “discover”, adequate shapes, and then learns inappropriately, thus badly 
controlling the population size.. 
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Figure 3: Example of typical ( more than 50% of the cases) system’s behaviors 
(with and without control ). 


We also have noted that in some cases, only less than half of the aspec- 
tual agents needed to comply with the morphological injunctions, so that the 
population level was maintained at an appropriate value. 

Developing more elaborated morphological analyzes (augmenting the aspec- 
tual vector with other aspects of the agent’s behavior and using trajectories 
by introducing the time dimension in the morphological space) and using more 
appropriate learning mechanisms would allow finer control of the system. 

4 Conclusion 

We seek to develop a general method to analyze and control multi-agent system, 
and to make them self-adaptive. We briefly described the model based on the 
morphology approach of representing the system’s state. This representation is 
available to the system in order to make it self-adaptive. 

We illustrated the workings of the system with a simple example consisting, 
in population control. Shapes used in this example were histograms represent- 
ing the relative distribution of one of the agent’s properties. A simple learning 
mechanism permitted to outline and exploit a correlation between the micro- level 
behavior with macro-level behavior. 

Other interests include developments of more elaborate morphology descrip- 
tions and understanding the needed properties of such description in order to be 
useful (toward formalization ?). 
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Abstract This work aims to introduce a new concept for incorporating fuzzy 
sets in hybrid deliberative/reactive paradigm. After a brief review on basic 
issues of hybrid paradigm the definition of agent-based fuzzy hybrid 
paradigm ; which enables the agents to proceed and extract their behavior 
through quantitative numerical and qualitative knowledge and to impose 
their decision making procedure via fuzzy rule bank, is discussed. Next an 
example performs a more applied platform for the developed approach and 
finally an overview of the corresponding agents architecture enhances agents 
logical framework. 


1 Introduction 


The definition of the agents world could be based on their social rules, 
communication cooperation and negotiation between them and their pursuance to 
achieve the defined (pre-given) goals. The central concerns on this area refer from 
one side to the individual design aspects for developing the design task and leading to 
an improved behavior and from another side to their social rules, cooperation of the 
individuals, and consideration based on the relationship between individual and 
overall social behaviors. The design aspect should be suitable for time constraint 
environment and interactions with environment in order to make agents capable to 
reconfigure and recover from changes due to environment and satisfy other flexible 
design criteria. Intelligent agents acquire information from the world interface and are 
able to perform tasks which are supposed to meet deadline on average [2]. 

In heterogonous approach the agents may differ from each other to ensure multi 
robot coordination. Self regulation agents concept is embedded within the 
environment and their autonomous action meets the design objectives. Part of the 
problem from individuality point of view refers to path planning and navigation, 
which implies the complexity of the problem and represents the physical limitations 
of robot platform. 

In a human-based model of agents there is* a close dependent between the 
deliberation, reaction and decision making and the agents relationship functional 
structure models these criteria [8]. If we face the unstructured or local environment 
the reactive planning is the most appropriate execution meanwhile in a knowledge 
rich environment (global/open world) a hierarchical paradigm works better based on 
deliberation process of global information and agent specific abstraction. Deliberation 
functions could not extend independently of reactive behavior and vice versa. Hybrid 
architectures benefit both concepts of reactive and deliberative paradigm [5]. 



2 Incorporation of Fuzziness into Hybrid Paradigm 


As stated above the agents should have some reactive design-base due to changes in 
environment, which in turn may effect and result in some limitation in the agents 
(local) goals and deliberation paradigm, which through reasoning procedure and 
intention tend to lead to action to achieve the goals (mean-ends). Therefore we need 
to balance between goal directed (deliberative) and reactive paradigm. Fuzzy 
approach can perform a suitable area for considering both these aspects, through 
which our decision function is a fuzzy one which proceeds the action design choice 
influenced by history and reconsideration and makes the agents enable to develop 
cognitive functions for evolution of intelligence. 

Deliberation and reactivity face with problems of multiple conflicting criteria and 
multiple objectives. With incorporation of fuzziness into hybrid paradigm we can 
make decisions with vague, uncertain and inexact objects and extract the human 
knowledge in planning architecture without articulating an application-based world 
model and prepare a determinative interpretation from probability and randomness. 
Fuzzy approach profits knowledge representation about how the agents represent their 
world, plan and solve problems in close/open world and is appropriate to experiment 
on bold (never reconsider) to cautious (constantly reconsider) agents, since the 
decision procedure attempts to degree. 

2.1 Development of the Concept of FHDRP 

The decision making strategy will be based on a deliberation-reaction fuzzy rule bank 
with strategy acquisition in extracting the fuzzy rules incorporating with real time 
reasoning [3,4,6] (we can learn the fuzzy rules from experiences with numerical 
and/or linguistic sample data with enhancing the system profiting the ability of 
learning-base systems such as neural networks.). 

The fuzzy deliberative/reactive rule bank could be defined as follow: 

- FRB : (X,.,C n A : ), i = l,2,...,n. . 

Where: 

-Deliberation state conditions: X t = {X n , X i2 ,--->X im }. 

With deliberation fuzzy set: D — \(^X,m D (X)) \X e. Q, Q is the universe of the 
deliberations. 

-Reaction state conditions: C f = {C a , C i2 C is } . 

With reaction fuzzy set: R = {(C, m R (C)]Ce 'F is the universe of the 
reactions. 

-Action through deliberation and reaction: A { = {A n , A n A ik }. 

With action fuzzy set: A c = ^A,m Ac (t4)]|^4 G f} ? T is the universe of the actions. 
The fuzzy hybrid paradigm can be defined as the projection: 

D X R — > A c . Where D is deliberation, R is reaction and A c is action power set. 
The i-th fuzzy rule seems like: 





If ( x a is f A and X a is f xl ... and X in is f m ) and if (C n is f el and C i2 is 

f cl ■■■ and C is is fa ) then A is far 

So the behavior could be written as: Beh ciRxRxR, ordering on R and could be 
defined as: 

-Beh = {(X i ,C i ,A i ) | XeD,CeR,Ae A c }, or 

-Beh = R U X n x X a x ...x X. m xC n xC a x...xC is x A n x A a x...x A ik . 

i=l 

The parallel associative inference will fire each fuzzy rule in parallel but 4o different 
degrees. 

As a traditional defuzzifier approach the max-height method can be used: 

p 

- m A c (A * ) = max ™a c (A)- 

The defuzzification procedure can be completed with the priority rule or the 
subsumption theory developed by Brooks [1]. Therefore we get the inhibition relation 
in the hierarchy as follow: 

A i -< Aj if (A t , A j) e-< , and we read it: 

A. inhibits A } or A { is lower in hierarchie than A } . 


2.2 Example 

As an example (modified from [7] and [8]): 

Suppose the objective is to collect samples in an indoor environment of a 
particular type in a predefined place. The location of the samples is not known. A 
number of autonomous swarm agents are for this problem available which can go 
around and collect the samples. Furthermore the terrain is full of obstacles. This 
organized team of robots can in turn negotiate and cooperate together and divide up 
the task collaborating with a common coordinator and the individuals have 
autonomous decisions and navigations. 

In this problem we face with a mix of path and deliberation/reaction planning and 
we need a path planning algorithm (for further detail see next section) as well, which 
sufficiently represents the terrain. 

We could extract some fuzzy deliberatioirireaction rules considering agents 
specific criteria and agents cooperation, for example: 

-Deliberation (if there are more samples in one direction. Mo ve-to-that- direction) and 
Reaction (if near a sample and obstacles or other agents are far, Speed-up-towards- 
the-sample). 

-Deliberation (if the obstacle is far, Choose-the-up-gradient-direction-toward-the- 
sampie, Move-to- sample) and Reaction (if the obstacle is very close, Change-the- 
direction). 

-Deliberation (if your partner is closer than you to a sample and there are fewer 
obstacles in his way, Communicate-with-your-partner and Let-him-to-pick-it-up). 


-Deliberation (if another agent near you has more frustration, Go-in-his-direction and 
Pick-up-the-sample). 

-Deliberation (if many other agents in one direction, Choose-an other-direction) and 
Social rule (if another agent near you Wait or Tum-to-the-left). 

And so on. 

We can interpret for all of the linguistic notions mentioned above, which can not 
be exactly described, such as: more, near, far, close, few,... the corresponding fuzzy 
sets and with defining the degree of indeterminacy articulate numerical data structure 
for partial occurrence of events or relations and have a quantitative interpretation 
from probability and randomness. 

Finally pure reactive rules such as: A void-obstacle, finding a sample Take-it and 
carrying samples and at the base Drops-the-samples have the most priority and 
complete the decision procedure with inhibition characteristics. 


3 FHDRP Control Architecture of the Agents 

The design-base is appropriate for real time execution and the state hierarchy 
develops a layered intelligent structure, whereby each layer could be interpreted as 
software agent or function in order to develop logic based concepts of robots and 
assure a modular construction for replaning and adapting the configuration. 

The control strategy suggested and the proactive behavior could be based on 
supervisory control on agent level. Coordinated decision must be suitable for 
application specific behavior on user level program embedded in the controller at run 
time. Application specific information, control algorithm and planning strategy 
specify the agent code. We should define the optimal in favor of our data base, rule 
base and changes that will occur in the environment. 

The approach (fig. 1) is based on SENSE then PLAN ACT, whereby the sensed 
information goes through planning layer and by means of directives translates to 
actuator commands on a hierarchical paradigm. One of the inputs to the systems will 
be sequences of environment states or percepts through which the control rules will 
extract some deliberative/reactive behaviors. Action rules translate to the effectors via 
corresponding sensor system through pattern of motor schema action. The developed 
concept is applicable to both local and cooperative planning. 

The fuzzy approach develops the social ability and satisfies the abilities due to 
uncertainty in the world model and provide a balance between goal directing and 
reactivity and interactions between the agents in order to coordinate and control them, 
using Quantitative numerical and qualitative knowledge. Fuzzy rules consider 
attention, reasoning, and information collection. We need real time processor to 
proceed with fuzzy reasoning about the global state to select the best behavior. 

The behavioral manager plans which behavior to use in order to progress to the 
goal and there are assumptions mappings from global data structure (sensory inputs) 
to behavior generation. 

Behaviors are inherently parallel and distributed and the goal directed approach is 
a sequence of generic behavior and updating the behavior. 

Sequencer as in the general hybrid architecture generates the set of behaviors, 
adapts it with managerial style and subdivides the deliberation based on the control 
scope and enables the system to develop a behavior based control for coordinating 



planful activities with real time behavior for dynamic positioning, navigation 
(behavior based opportunity to change direction of navigation) and considering the 
goals, resources and timing constraints. 


Perceptual input 



Fig. 1 FHDR Control architecture of agents 

Cartographer is responsible for information collection (data structure) and path 
planning. Physical location of agents and the coordinated control program will be part 
of global knowledge and shared data structure. To find the optimal path in the 
configuration space, event noticeable by reactive system would trigger event-driven 
replaning. 

Path generation algorithm will generate a pre completed path with a hill climbing 
algorithm to reach to the target position, where the target position is given by the 
strategy system and behavioral controlling of the moving direction of the agent is 
based on the direction of the target point and agent actual coordinates [6]. 

If an obstacle blocks the path, the path is replaned and optimized by computing 
the optimal route and decomposing it into waypoints [5], a goal to reach. After 










reaching each waypoint next goal is computed and cartographer gives the sequencer a 
set of waypoints to make a qualitative navigation possible. 

Solutions to the problems such as interference, member unproductive or failed, 
agents interactions and communications, individuality and autonomy, emergent 
behavior and heterogeneity could be in collaborating with the coordinator. 
Coordinator defines new goals and sets the strategical plans, which lead to tactical 
instructions and coordinate the relationship between strategy and agents set of tactical 
behavior through social rules. Coordinator can modify the relationship between the 
behaviors of agents: one strategy and several tactics. 


4 Future Directions 

For a later work we could enhance the agents architecture with learning-base 
distributed AI systems such as neural networks to learn from experiences and new 
data and be able to improve the agents behavior. The learning system should develop 
the ability of on-line learning in time critical environment using qualitative 
abstraction, symbolic learning algorithm and rules generation and challenge the 
autonomous learning of sequential behavior and gain some skills to carry out the plan 
for more robustness and performance monitoring. We could also investigate on 
stability, redundancy and complementary of the system. 


References 

1 . R. A. Brooks. A Robust Layered Control System for a Mobile Robot. IEEE Journal 
on Robotics and Automation, 2(1) (1986) 14-23 

2. R. A. Brooks. Intelligence without Reason. Proceeding of the Twelfth International 
Joint Conference on Artificial Intelligence (IJCAI-91), Sydney, Australia (1991) 569- 
595 

3. H. Hellendoom. Reasoning with Fuzzy Logic. University of Technology , Delft 
(1992) 

4. E.H. Mamdani. Application of Fuzzy Logic to Approximate Reasoning using 
Linguistic Synthesis. IEEE Transaction on Computers C-26, no. 12 (1977) 1182-1191 

5. R. R. Murphy. Introduction to AI Robotics. Cambridge, Mass.: MIT Press (2000) 

6. H. Sarmadi. An Approach to a Supervised Neural Network-based Fuzzy Controller. 
PhD Dissertation, Vienna University of Technology, Vienna (1995) 

7. L. Steels. Cooperation between Distributed Agents through Self Organization, 
Decentralized AI. Proceeding of the First European Workshop on Modeling 
Autonomous Agents in a Multi-Agent World, Amesterdam, the Netherlands (1990) 
175-196 

8. M. Wooldridge. Intelligent Agents: the Key Concepts. Multi-Agent Systems and 
Application II, 9* ECCA-ACAI/EASSS 2001 , Prague, Czech Republic (2002) 3-43 



Interaction and Communication of Agents in 
Networks and Language Complexity Estimates 


Jan Smid 1 , Marek Obitko 2 , David Fisher 3 , Walt Truszkowski 4 


1 Dept, of Computer Sci., Morgan State University, USA, j smidQjewel.morgan.edu 

2 Dept, of Cybernetics, Czech Technical University, obitkoQlabe.felk.cvut.cz 

3 Software Eng. Inst., Carnegie Mellon University, USA, dfisherQsei.cmu.edu 

4 NASA/GSFC 588' , Greenbelt, MD 20771, USA, walt.truszkowski@gsfc.nasa.gov 


1 Introduction 

Knowledge acquisition and sharing axe arguably the most critical activities of 
communicating agents. We report about our on-going project featuring knowl- 
edge acquisition and sharing among communicating agents embedded in a net- 
work [7,8]. The applications we target range from hardware robots to virtual 
entities such as internet agents. Agent experiments can be simulated using a 
convenient simulation language. We analyzed the complexity of communicating 
agent simulations using Java and Easel [2]. Scenarios we have studied (see also 
our previous work [6]) are listed below. The communication among agents can 
range from declarative queries to sub-natural language queries. 

- A set of agents monitoring an object are asked to build activity profiles based 
on exchanging elementary observations. 

- A set of car drivers form a line, where every car is following its predecessor. 
An unsafe distance can create a strong wave in the line. Individual agents 
are asked to incorporate and apply directions how to avoid the wave. 

- A set of micro-air vehicles form a grid and are asked to propagate information 
and concepts to a central server. 

2 Knowledge Acquisition and Communication 

For given knowledge representation language and agent communication language 
we follow several principles: 

- The agent network is a graph that has short search paths [9], [1]. 

- The individual agent is a graph that has short search paths. 

- Ail graphs can dynamically change, communities can be formed and com- 
municate. 

- The agent understanding substantially depends on the semantic information . 

For the knowledge acquisition of agents we use an algorithm that is based on 
the approach developed by J. Siskind [4]. In short, agents receive a sequence of 
utterances, each to be paired with a set of conceptual expressions. Conceptual 



expressions are assumed to be provided by e.g. the agent’s cognitive system, 
and consist of conceptual symbols. The basic problem is to map words onto 
conceptual symbols. The thesis is that the natural language based knowledge 
representation is effective in representing the agent world. 

3 Simulation Language Complexity 

For knowledge processing as well as for other important agent-related tasks we 
have studied Easel property-based types (PBT) paradigm [2]. A type is a de- 
scription of some class of objects, while a description is a set of properties. PBTs 
are intended to provide a foundation for automated systems that solve problems 
in ways analogous to those of humans. We further developed our initial com- 
parison of Easel and Java presented in [6]. Java can be extended using special 
classes, such as Actor that is similar to Easel actor type, which enables lower 
complexity of programming simulations, such as in Jade [3] agent development 
environment. However, PBTs are not native structures in Java. 

4 Conclusion 

The presented knowledge acquisition method is promising for the next step of our 
project that deals with entities equipped with sensors. We have studied several 
examples of emergent agent systems and described knowledge acquisition and 
communication and the complexity of the implementation. The complexity of 
simulation using a specialized language such as Easel is lower compared with a 
general purpose language such as Java. The drawback of using a new language 
is the cost of mastering a special purpose language and its syntax rules. 
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